User Authentication

The final piece of our password machinery is a method to retrieve users based on their email and passwords. This divides naturally into two parts: first, find a user by email address; second, authenticate the user with a given password. The first step is simple; as we saw in Section 6.1.4, we can find a user with a given email address using the find_by_email method:

The second step is then to use an authenticate method to verify that the user has the given password. In Chapter 8, we’ll retrieve the current (signed-in) user using code something like this:  

If the given password matches the user’s password, it should return the user; otherwise, it should return false. As usual, we can express the requirement for authenticate using RSpec. The resulting tests are more advanced than the others we’ve seen, so let’s break them down   into pieces; if you’re new to RSpec, you might want to read this section a couple of times. We start by requiring a User object to respond to authenticate:

We then cover the two cases of password match and mismatch:

The before block saves the user to the database so that it can be retrieved using find_by_email, which we accomplish using the let method: 

 We’ve used let in a couple of exercises, but this is the first time we’ve seen it in the body of the tutorial. Box 6.3 covers let in more detail.

                    The two describe blocks cover the case where @user and found_user should be the same (password match) and different (password mismatch); they use the ‘‘double equals’’ == test for object equivalence (Section 4.3.1). Note that the tests in

use let a second time and also use the specify method. This is just a synonym for it and can be used when writing it would sound unnatural. In this case, it soundsgood to say ‘‘it [i.e., the user] should not equal wrong user,’’ but it sounds strange to say ‘‘user: user with invalid password should be false’’; saying ‘‘specify: user with invalid password should be false’’ sounds better.