Building Authentication from Scratch - Learning: Elixir (Phoenix Framework) - Part 4 - 28-02-2019

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right welcome everybody welcome to the programming livestream what we're gonna do today is work on the app that we've actually bootstrap before actually what I'm wondering is can I make this even bigger yes I can okay let me let me go back then and switch to the font settings back up so let's make this like 16 or something 6 things should be fun is this readable for everybody this is good this editor a nice is this good good enough good readable code right now we're chillin so what I've changed is I'm streaming from a main monitor now which means that everything is high resolution which means that on stream everything might be a little too small but I did upscale everything so I think the only thing that's like tiny a little tiny now is the github screen but that's I guess fair you guys won't be looking at that too much it's been a very long time we've actually bootstrap this project and I don't even know if it still works I don't even know how to start it up again I think it's mix phoenix server if I remember correctly then it is correct and this is basically the website that we built so this is just the Phoenix framework for does you know don't know who that what that is oh god I'm searching for Phoenix in Google that's not great Phoenix elixir which is a frame it's just a web framework that has a lot of cool stuff inside of it like WebSockets and like the real-time data and all that so that's cool that's awesome a web a productive web framework that does not compromise speed and maintainability exactly and I like really like how the way this is set up because it really drives you to build your application using domain driven design which is pretty interesting to me welcome you and welcome CAD welcome well I already said hi to Zen but what comes in how's it going I'll text you don't wanna spend boys chat sup twos it's all good man it's all good the boss employed some saris up J how's it going just chant thanks so much word hosts as I said earlier and you're doing welcome to the stream as well stop Richie so how does this set up it's also a good reminder for me because I haven't touched this in a very long time you [Music] have multiple domains or not really domains here but you have multiple outputs ways of outputting basically so you have your normal live Lib here inside lip is basically your entire application I don't even know why we have a web here by the way I don't know is this oh this is just an empty folder okay that's all right let's do like that sounds like really confused um so inside lip is your main like libraries like your main application so here this is our most stuff face so as you can see I have a folder just Rock Cats of a folder juice of cats web I have a district n2x folder and adjuster cat's folder which is basically just defining the module so so that's great here's all the web related stuffs it is basically just setting up the district cats web domain which is just outputting and it's has its own like folder structure inside just for cats it's like your main business logic that is gonna be overruling everything whether it's just records web or something else like I don't know an OG I sepilok application no that doesn't work eh another Phoenix application that does something else I don't know that is not related to the web so you have all your business logic here or maybe another entire entirely new web application or something that is like completely living outside and you want to separate that can couldn't really think of anything with that would be but here is basically your business logic that is can be spread around projects you know this is like your core your core business if you if you would if judge Burke has work to be a business this is where you put all your important logic on the web you obviously grew up up all the web related so if you have a website you just put all the websites and all the URLs and the pages that you're building and all that using that other stuff so an example if we go to my website here's a guy's calm oh wow it actually doesn't redirected HTTP version that's something I've to fix but we have a playlist section where it plays where it shows what the current playlist is I haven't updated in a very long time I have a dashboard for this but playlist playlist for just for cats it's kind of a its own domain you know it's it's it's its own business logic dad that you can do it you can create playlists you can update playlists you can set a current playlist all that stuff is pretty important so images were cats we have a playlist domain where we can say if we want to list all the playlists you can call this and it will get you all the playlist or you can get a specific playlist you can create a playlist you can update a playlist you can delete a playlist etc so that's basically inside of just rickettes domain which means that across projects I can basically update or delete or whatever the hell I want to do it playlist the idea for this is that we're gonna migrate all these these parts of our website to this new platform because it allow it gives us more features it's faster and it doesn't take as much memory as my current website does so it's a lot more performant and I think which is also really a good benefit is the fact that my current website if I have to make an update my ex actual website goes down so if I were to make a new version and I make some new code and I write I add an extra app or something my entire website goes down for a couple seconds and then it boots back up which is not acceptable in 2019 this is ridiculous you should not have this currently when it's 2019 if you have a website it should at least like do your do your thing you know it should like whenever you push code it should make a new version and it should slowly gradually move towards that new application without going down you just want you don't want to be down in 2000 I think that's just unacceptable so what we're gonna do is we're gonna slowly move away I think we already setup something so I think we already have a setup like a playlist thing where we can create playlists so I can create a new playlist Bob Ross Ross's playlist really cool it's it's an awesome playlist that goes to Google calm possum so you can go to a playlist we can see the list of playlists right here we can delete the playlist we can edit them we can show them all nice and Danny so pretty much exactly what do you what you would want to do here the thing is though is obviously when somebody goes to my website you don't want any of everybody to make playlists what a surprise Wow some journey has gone sub beef you don't want everybody to come in here and just create a bunch of playlists right that's like unacceptable that's just not how we do things here at district ATS so what we're gonna do instead is instead of having this just out in the open where everybody can just go to slash blows and create one we want to be able to only show the playlists to the outside world and creating is gonna be part of the admin panel so if I go to my admin panel here you can see that I have to sign in first and I think I can just sign in real quick let me just do that [Music] sure I think it says what hope so at least we're doing it live boys we're doing it live oh we're logging in so here you can see that I can manage all my playlists and if I update for example I'm listening to this one now I can go to this one and it will show up that this currently listened that we're currently listening to purple is hot best of best of the best place which is cool you know it's neat it's neat that we're able to do this but we need this happening panel and we need to be able to login so what we're gonna do today is we're gonna be if we're gonna build an extra health indication system so a system where we can where we can log in and only do a bunch of stuff when you're logged in so we don't we don't want to go to the admin panel and just go and change stuff I don't want you guys to fill around with my place so let's let's try and build it so because what I said earlier all the non web related stuff should be living inside of inside of our outside of the web part we should probably build this authentication kind of related logic inside just our cats so next to playlist we're probably gonna have something like authentication and like users or something like that that just explains that you can have an account you can have a password and if you fill in your username and password you're logged in and we can show you a page that you're so normal II not supposed to see I haven't done this in a while so I'll probably have to Google but let's let's take a look at how does how does should work if only I knew how to do this or like what the proper the things were I've done these like I think two times already on stream but I can't remember how it goes so I think we need I don't think we need Guardian I think we can do come on in and bcrypt elixir or I think that's already in come on in so for those you don't know if you're building something if you're building an application you're not gonna build everything from just from like from the gecko you know you like you use someone else's parts of someone else's code that it's open source which means that everybody can look at the source code and understand what is happening so you know what you're pulling in is actually not like a virus or like anything malicious that you don't want to have in your application so in theory we could look at this and be like okay let me make sure that I'm not gonna get hacked when I pull this in to my application it's just a plug-and-play system you know like you you take someone else's code you have to make sure that that's good before using it before using it in your app we know that common in is actually a very an often-used thing in elixir so I'm completely fine with using this I'm good Rigo billing it just to make sure that I have to write one but this is a very this is a this is a library that's well updated and is used quite a bit and I've seen it like I remember last time when we build an authentication system this is the this is the way to do it [Music] if you ever straighten your hair I have actually yes so um what come on in is I think let me see Helen Wicke Conan is a specification for password hashing libraries okay so what this thing does is before we before we move on let's just explain a little bit about authentication is and what we're gonna be building so a user which is just you is going to slash admin or something like that or slice login or whatever the he's gonna see the login page see the login page and he's gonna be able to use fill in his username and his password or his email and his password whatever right so it's like a box but you can fill in your username in your past you're emailing your password and a sent button login button right something like this is gonna be the UI and um in order to have an account in the first place you will need something like a register system well I mean we're gonna make an account that is you're not gonna make it sure right or true registering an account but let's just for the sake of it let's just make a register page as well this is a login page login yeah okay cool but we also need a register page so if you were to like have any website you would just register your account by probably having an email and maybe your first name first name or like your name in general it's probably good enough oops your name is probably good enough nice this is like your typical log like registration format and I'm probably like in and password confirmation you know it's like this is like your common like flow right flow of account creation you just have to fill in your use your your name your email your password and confirm your password right that's like a common flow so what this does is whenever you hit register we're sending your all your credentials to the server so we're sending your your credentials to my application right and that could be I can do whatever the I want with that with those credentials but most people would just save it right so what we could do which is really which is something you should never do but let's just for the sake of it do it anyways we take your username and your email and password and we save it plaintext into the database so we have this database right here it is called Postgres it's this basically an excel sheet spreadsheet I think I have to be logged in to Google it's basically a spreadsheet of just like a couple of columns and rows right which is really bad so I have an email and a password and you would fill in your email address here right it's like a your normal spreadsheet that you need that you have and you fill in your password here sick-ass password really secure oh my god what's happening so this is bad this is very bad because what if somebody were to log into my server and like hack the database as they they have access to everything now which is really bad right so if you're if you're if you're doing this then you should really consider switching jobs so that's that's messed up so everybody's records are in here like Zephie rathri at gmail.com and his password is obviously Boyd is awesome with two exclamation marks you don't want anybody to like know your credentials right that's a little spooky so what we what people do instead that's actually my email so what we want people to do instead is we want to take this and we want to save this be be crimped decrypt online let's see let's encrypt this using assault [Music] so a thing is faster than this be Krypton and instead of oh what the okay this is not exactly what I was looking for I need something that has an actual salt okay so think to encrypt Boyd is awesome hash to check string against yes so rounds of encryption cool cool cool I can hash this string and I get this string back right and I say this one in a database so so now the hacker so now the hacker takes this database all the credentials are like rent super random things that you don't really know what to do with actually this is also not a very good way to see what was the other one bargain right are going online bargain to online yeah so salt let's listen let's use this one okay so I take the password Boyd is awesome extubation micromesh Marc I add some salt which is the only thing that's the secret that only did that only our application should know and you should never put this in your codebase you should leave this somewhere where nobody can ever find it but your application still wants to use it it's really important that you have salt because this is the secret that we're gonna encrypt your password with that a hacker should never know about so let's put the assault like a 1 2 3 4 5 it's a really shitty salt but sure I don't why I applied it enter salt is too short payment ok enter so we got our beautiful encoded password here I think or is this the end password maybe this is the encoder I don't really know how this works anyways so let's pretend it this is the password so whoa we got a new password so if the hacker gets this he can never like decrypt this because he does not have this salt that we filled in so he does not have the actual key in order to decrypt this password so he has basically useless data if he steals this database he cannot actually get any like get the actual password because he doesn't have this secret key that we encrypted this faster password with which is fantastic if we were to store this exactly next to the password he can obviously do whatever so it is important that you encrypt your passwords because people will not be able to get your password so but how if we login how can we guarantee that this is that that this is that person because the person is going to obviously send a password like Bob Ross 1 2 3 and he's gonna send it but it doesn't match with this password right so for if we were to not encrypt this password right if we go with this example right here and not encrypt the password at all the user would log in and send this email it would be like email as this one and it would send this one and then we would check hey do we have any records where this email is this one and this one is the password and then the database would say yes I found one and now I know that you log in right that's perfect that's great so now we know that I logged in because I found someone with that email and I found someone with that password and both of them are matching right I found a record where the email address is this and the password is this I found exactly one row if I been filling a wrong password Bob Ross one two three but the password is a is DF one two three four five one two three four it would never find this record because it would search for an email and a password but this record only has the same email but doesn't have the same password so it's fine it would say nope could not find anything and I'm like okay but that's great now but we should never actually plaintext or passwords right so let's go back to this example if we were to have this we're like well you know well that is that is kind of crap so we we cannot we send Bob Ross one two three but we will never find a user even if the password is correct so even if the password is void is awesome you would never find a user where this is the email and this is the password right so we'll have to do some extra magic in order to get this done but if you think about it in order to get this in order for us to save this password and get this value we encrypted it right so what if we take the password you fill in and we encrypt it with the same salt that means that the hash is always the same that basically means we transform it into this one and then we can check hey the encrypted password is it the same as the one so now I'm asking hey database do you have someone for this email address and this password and then the database says yes I found one if the password is wrong however so let's say I do boy it is awesome but it's like pop rocks one two three with the same salt we would get a completely different hash it's not even that that different but it's it's definitely different so it starts with five oh but we're already five three five six blah blah blah blah it's completely different so then the database would say hey you're sending me this user and this is the email and it's the password but I cannot find any records I cannot find any find anyone at any one that matches that zero results so now we know that this user has filled in eater and wrong email or wrong password right that's what we know that's great that's cool so this is what we're gonna build we're gonna build a form that we're gonna send and then we're gonna say it whenever you register we're gonna save the user we're gonna encrypt the password store it in the database and then whenever you try to log in we're gonna slap we're gonna set the credentials we're gonna encrypt the password again and then we're gonna match and see if we find someone's credentials and we can basically guarantee that if we found someone we can log you in and it set a cookie which is what I'm gonna explain later so if they're whole this is clear to everybody hope so hope are onto something here beautiful okay that's cool that's perfect so now we securely stored data that we can retrieve later on or we don't even have to know what this faster it is we literally don't care what this value is at all all we care about is when we log in that we match the passwords so we re encrypt it we slap on we take this password you send us we convert it with the same salt salt plus this string and then we're gonna say do some awesome encryption Krypton with this and then the outcoming results should be this one that's what we're checking is this is whatever comes out of this the same as this then I can say yes okay let's just let's just get in that's what we're gonna do wait so how do you do you code it that the system turns the password encrypted version so that is exactly what this library does there is a ton of different encryption libraries and there's so there's three that are included in this library is organ to decrypt and pbkdf2 if you ever come across md5 don't ever use this this used to be the standard but it is this is really easily hackable so we're not hackable but it's like easily decrypted so I'm gonna put a string here Bob Ross and Andy five hash this it's like okay I get an md5 hash but the thing is there's so many or the computer to decrypt md5 it's not that it's not that slow so md5 decryption decription so and there's already a database with over eight hundred thousand two and twenty nine or eight hundred and twenty nine thousand seven on this 26 billion correct md5 hashes so probably somewhere you will find your own password in here yes so don't use this this is outdated this is not very this is not the best way to do to encrypt any more and I think sha-1 or chef sha-1 is already or even sha five I think is already like Google already thrown so many computers at that but it's also not that great a bcrypt is very well known and argon two is then the newer one I think that's like the the fastest sort of like the best one right now but all them the most important thing is that you just decrypt your password that you Chris the password before saving in a database I don't want to see any of you guys go into production save the password in the database that is not encrypted all right sup katie has gone so let's do this I can't remember how we can add oops I cannot remember how we actually have to add libraries because I haven't done it in a while I haven't touched a lick sir in a while actually yeah let's see so let's install this baby so let's go to the hex hex is basically to plug-and-play manager of elixir so with hex you can install other people's code onto into your application so what we're gonna do is we're gonna just go to mix dud px which is outside here then you can see that we're already using a couple of libraries Phoenix Phoenix pub/sub Phoenix echo ecto post grex phoenix HTML phoenix live reload get text and cowboy so we're gonna add another one we're gonna edge come on in 51 save okay now we need to do mix I think oh did we something oh you're missing a comma here perfect mix mix depth get beautiful all right so now it says these are all unchanged we didn't change any of those we added a new library come on in 5.1 awesome perfect perfect so we've added this library now we can access it within our code beautiful so what we're doing and looking into is Phoenix context and how we can generate one of those so I'm using a framework called Phoenix which I spoke about earlier which is just a web framework I can just build within this framework it sets up a bunch of files already in like an entire structure to work with which is great because you want to be fast you want to build stuff right that's like the most important thing we want to ship things with in Phoenix there is something called context which basically tells you like we're gonna be building this feature right we're gonna be building authentication and we want to build fouls or we're gonna make thousand modules within that the domain cult called authentication so everything that's related to authentication is gonna live inside that folder and we call it context basically so for example they're creating an accounts context which is exactly what we're gonna do because we were gonna manage accounts that's like the domain account management is gonna live there so we're gonna be able to create users and authenticate them and all that so let's do that so let's follow exactly what they're doing so we need a they explain the idea behind off I just did if you go and watch this stream back see we literally just explain play what it is but it's basically just login we're just gonna build login but welcome we Lou how's it going sup gosh a gun so we're gonna build context basically for this and we're gonna you're gonna be able you you're able to generate this actually so let's do that let me make sure that my database is in the right shape like sir common in requires it likes 1.7 and we're on elixir 11.6 point 5 okay whatever we'll see if it's actually running in tears but we'll see that later so we're gonna generate a resource or context so we're gonna say we're gonna make an Accounts context so this lives in the accountants domain and the model that we're calling it is gonna be user so we're gonna have users and it's the table name is called users and then it's gotta be named as a string let's call this email as a string we don't need username but this needs to be unique I don't care about the name really we're gonna have that later to have an email and we want a password but apparently they're doing the password later which is fine I'm gonna have to password them which is a string and yeah that's exactly what we need that should be good all right let's run this generate it up Connor how's it going I want to learn a lick sir but the sync things looks kind of weird really I'm used to things like a Goan Java stuff I see I say I see it and it's super different it is a little weird maybe you come from that from that area a lot less curly braces a lot less curly braces okay so we're gonna add this to our so it basically already generated a bunch of stuff for us a generator controller it generated a bunch of templates that we can create users with it generated a view controller tests and all that which is great I created an accounts context here inside here and he created this like beautiful file that we had before for playlist as well this is basically get a list of users we probably won't need any of this but it's nice to have it's nice to have I would say so let's just work with this resource right so let's add this we basically have to tell the our our web server let's start the web server let's first run this so in our router where basically we can basically tell okay if we go to slash users let the user controller take over that's basically what we're saying here so let's add this and let's mix mix ecto migrate which basically creates this thing in the database think about it is like your excel sheet we're just making a new excel sheet especially made for users that's what we're doing that's all we're doing here beautiful okay so if we were to go to our website and we start the server so it's makes Phoenix server we should be able to go to select users and we're gonna be able to make it have a list of users ok let's create one Bob Ross and Bob Ross com uh so just one two three four five six save it we just saved and password plain text in the database but that's fine that is okay that is completely fine that is this sure man that's that's okay I don't mind it too much okay so in order for us to ship the code that we have we have this this little thing here can I make this bigger I can actually make a bigger perfect I didn't even know that they had that so I have this little application here which I can which is just managing my kids get this basically this version control telling me that I've changed a bunch of stuff and then I want to say that pretty much all we do if it feels like there's something underneath every but it's not [Music] why not make a new wrench Paulette live off live authentication we're building this it already built a bunch of tests I literally don't care about these tests because I think they're not good tests because we're not gonna have any of this anyways but sure let's just keep it for now just whatever so generate a bunch of stuff and we're gonna say okay bootstrap accounts account resource is that's exactly what we did which is perfect so we basically whatever we just generated we just parked it we said okay take a snapshot of the code right now this is this is the state that we're currently in so we can roll back whenever we made a mistake just good okay so we can have what we had we just made a user and as you can see here it shows the database it says insert into the users table so into Excel you see this excel sheet it's for users it's called users and for email and password and insert of that and updated that enter these values Bob Ross is the email one two three four five six is the password don't ever do this but it's fine for now don't ever save your passwords plain text in the babies but it's okay okay so next up we're gonna make an authentication and an off kind of like context within our application because we don't want our users to know about login our users just for saving but our account should also show I should to kind of know about it I think but we can at least have let's delete all these methods or comment amount I don't really know what we're gonna do with them but maybe some of them will be useful so what we kind of need is if we look back at the flow we will have a bunch of credentials and then we're gonna ask another service that is could maybe live in accounts I don't know where I'm gonna put it yet we're gonna ask that dead library to just encrypt the password for us so let's just quick and dirty build it first and then we'll figure out what we're gonna do later so let's just build it it's really hard to do things right from the start if I'm completely on this top end scene orangy thank so much should follow as well also there was someone else a cue dog x13 thanks so much and fall as well so let's make a let's make them let's make a function that is called create user or yes sure so create a user is always already something we have here so let's steal that created user which takes a user model adds a bunch of attributes that we send over and any insert set we don't want this we want to encrypt the password first before we do this right so let's think this through if we're sending the password do we want to do this on model level so validate the required fields check uniqueness and then encrypt password is that something we want to do maybe I'm thinking if this is the right way to do it or do it into within the service so to speak make the service responsible I think it is not bad to put it on model level and just before save make sure to we encrypt the password um but I think this will be used for every single one and I don't want to encrypt the password every time I only want to encrypt the password whenever I only want to encrypt the password if we actually changed it put sure let's just put it in the service first and then we'll figure it out so let's do it quick and dirty right um [Music] grade user bubble boss will know sure sure whatever as one credential alias accounts credential before we integrate credentials into the web layer we need to let our context know how to associate users and credentials or they're talking about a join table yeah so they have a separate table for the email or something that they have first name and then they have credentials separately sure I don't know I'm not we're not gonna do this oh here authenticated by email password which is cool sure-sure this is a session controller business for web that makes sense yep yep yep I don't think I'd use their bubble ba ok let's first just make sure - we encrypt everything so we have our common in and let's let's take a look at the how this works how do we use Argan docks argan add hash bakes a password as input and returns a map containing de meshed in the password hash check the password so oh this thing already has a bunch of helpers which is perfect that's great so we can do Argan to verify the password we can make an abstraction on top of this if we really want to have our own like authentication kind of thing I can do exactly this that uses our gun might not be a very bad idea but let's just first do it quick and dirty and then figure it out so they do account get by Oh what happened oh okay my screen just went completely back where if I use their buh-buh-bah Coco Cole [Music] the length of the random salt how does it check the password [Music] wait where does it get this where does it get the this salt from the hash the hash key the Adhan hash all take options that they're then passed through the hash password alright it's just let's just try it you know I don't I just don't want to stay too long into like I don't want to stay too long into reading and doing it properly I just want to do it quick and dirty and just hack it in and then figure out as we go all right so put password hash we put the password so private function poot password hash it takes an ecto changeset if it's valid changes password change change set bargain at hash password uh-huh so this thing will actually have a password hash on the hood hey dansant password hash on the chainset and then these stored is on a user where's the where's the initial secret and I don't understand where that's put really confused all right let's just Google this I'm missing out I'm missing out on something come on in come on in on in elixir let's just read I think in the end we actually have to read man I just wanted to build it all right beanie accept invitation to do application part tale beautiful okay so we have a user we have a user chain set and then we say okay pretty user to do that yep yep yep could not render buh-buh-buh Coco cool we don't care about this we already scaffold of this all right here so we have a user oh yeah we can we can actually go to the database and see if we do IX we can we got an interactive shell and then we can do alias and then we can say just rock hats counts I think and I think our module was called a district has accounts user then we can now do a count stop user okay let's do an alias for that to pay Lister's for our cats couns user okay so now we can use user and we can do repo duck yet but we need to repos itself wait what Bailey is there are cats repo sure I'm gonna repo dot get and then we can put in the user and then the idea of one yet is unavailable wait what's this our cuts repo yeah here what the heck repo all all we have to do repo no wait huh yes with a bang it repo is undefined this records repo get is undefined not available but we're using it right here [Music] repo is racquel repo what the hell I'm so confused Oh maybe we need to import this no I'm really confused house is not working repo is here yet there's no get [Music] if I put in a user user ID yeah here if I didn't say user one all right what about repo all user reball is in the front okay I'm really confused Oh how is this not working oh I think I have to do mix something if we enter IX mix Phoenix console no I'm really confused do I need to do this so I have alder defense here we go there we go so now I can run Jose our cats got repo'd all and then just ro cats accounts thought user and then I get all the users all right beautiful there we go okay cool okay we're back so I have to just run in it and if an initial one okay so if I ask the database hey can you give me all the users I get a user back I get a list of users what is the IX me as mix what you just did it is basically telling you I existent is an an interactive thing that you can run that runs with the language that comes with the language and an S mix basically tells you that it also should include all the dependencies so all the plugins that I downloaded remember how I added all these plugins here so just telling you hey going to this interactive mode and also running loading all these plugins that you've added all these dependencies and then I can basically say alias what I did before just our cats got a count user alias just Rock Cats repo so I don't have to constantly type just for cats repo I can now also just do repo now we'll get the same thing so I'm a liasing user user to be this this entire module so can a user or repo get user 1 and this will get me that the user with the ID of 1 so that's good so if I were to get repo get and let me see how I can add options to it because I want to actually have a quarry that searches for a bunch of stuff right get by so I can do repo gets by user and then I can I want to say email equals Bob Ross at Bob Ross comm this is basically the code that we have to write ourselves later password and then one two three four five six right and we found the user so if our password is wrong see you get nothing you get like Oh couldn't find anything we found Neil which basically means nothing it's evasive what we're doing so I just told I just asked hey hey repository which handles all the database stuff can you get by though hey can you get what get something which I'm passing the user so I'm saying hey can you search inside users for something where email address is equal to this and password is equal to this and then the repositories like okay search search search I gotta do this let me ask the database so it hits the database and it asks select ID email blah blah blah blah blah all the fields from the users table so from the user excel sheet we're email address is equal to bob ross @ bob ross calm and password equals 2 1 2 3 4 5 6 7 and then in the database said I didn't have anything and you're like okay um but if I do fill in the right password the database returns me hey I've found one record and I only you only ask for one um so here you go this is this is what you got you got your beautiful chemo and password which means that I can log you in now beautiful but instead of Paul okay so they called it in the database or in come come on in they use password hash but we called the field password which I'm fine with I don't care and I'm pretty sure we can just map that I don't think that's the problem so here inside of models they put it inside web okay I don't think I think that's an old that's an old thing but we can we can definitely put it inside the change set I'm not I'm fine with that I'm completely fine with that but I do think yeah yeah so you can normally have this function called put password hash oh okay so you made a private one okay so let's do that let's just do it in here if the tutorial says it you have a normal death and you have a normal you have a deaf P which basically means that it's private so you're basically telling this foul yeah you can only use this function inside this file you cannot use it outside so let's let's call this encrypt password because that's that's what this function does and what it takes is a change set and then what we are gonna do is we're gonna [Music] but so even he made a case statement saying like if is this one oh that's actually a good point okay so that's exactly what I was talking about cool Koval so he basically made a case statement which which basically says if there's a couple of cases that you need to handle do something for change set so we're gonna look at the change set that we pass and then we're gonna do a bunch of cases if there's something that we don't handle use an underscore so there's like anything we just return to chainset that's what we do but if the change set is valid so what we're doing here to give a little bit of context we can only change a user using a change set here we can only we can only change a user if it goes through these actual steps right so we basically tell okay you're gonna get me a user and I'm gonna first check a couple things before we can save in a database before we can save you we're just gonna do a couple of things before we're gonna save it in the database right we need to do a couple things first we need to cast our a our attributes so whatever you're sending [Music] is this Laura casting is that what it is past according to the give a set of keys return shows that the given data may be either change sets scheme or struggle during cast all permitted parameters will have their key name converted to an active okay so you're basically telling whatever you're sending to me I can only accept these properties so let's say you can never change the password you would remove it from here because if you're using this application we would never allow somebody to change the password ever that's just it's just given you can never send me a password or anything else so if they're sending as other stuff that we're not permitting we're just gonna take that and just just remove it if you're sending let's say attributes is something like this is I don't exactly know how how elixir works that well let's say email or some awesome property here but just blah right I'm sending this I'm sending an awesome property blah then what this step will do is will do it will just rip this off it will just be like nope I don't know this one let's just get rid of it so I passed that first test we're sending email and password and those values are present so it's gonna be like okay sure these are allowed to pass true so that means that we're going to the next step which is validate required which is just gonna check hey did you send in the required fields or are two required fields on this user set right now so Bonnie how's it going you're an actual dev yeah I'm an actual then so we're saying is we need to check before we save anything in a database we need to check that we're that we have an email and then we have a password set if you do not have these set we can not save your user all right third check is we're gonna check if the email address is not already in use you know is this email address already is saved in the database somewhere then we should also fail so these are just validations that we're gonna do and in the the other one the next one that we're gonna pass is encrypt password so it takes it takes this user chainset and accept is that at first it is his first thing so basically what this is is like it is pretty much this this is what it's doing but in order to make it more readable we just do it like this so that whatever comes out of this so far is passed to the next one that's basically it is your piping true whatever it is I don't know is there paint online yes perfect so if you were to have a couple boxes and I make this bigger you fill paint online guys what invention they have a box then I pass it true face black hole right here and it does something with that box and then it goes it goes out and it does something so now that box is red right so this is magical portal make the Box red spray beautiful yeah beautiful okay it goes into the next portal which does something and we tell it exactly what it doe obviously does which makes the box bigger a bigger box but it's still red right buck oh god Windows associate I have windows I like windows right okay so we have a couple transformations here and if you look at the code this could be something like this it would take a box and we would pipe it through a couple things let's set the language to elixir we take the box and we put into a lot of things like make red and make red would be something like this make red which takes a box and then I don't know box that color red something I don't know I don't exactly know what it what it actually would do obviously but this could be something that it could do and then we also pass it true make bigger so you could write this like this right make bigger make red box you could read it you can also write it like this but it's not very readable so you guys have to read this from the inside out right it's like you take a box and then you call make red on it right so we make the Box red but this current returns as a new box which is now red and then we pass that to the next one which just make bigger which also takes a box and then maybe there's another one called flip box and then so we take this we call this and then we return another box and then that's a lot of work and it's not very readable so what we want to do instead is we want to have this nice and readable so we just we just pipe it you just pipe it we take the box we pipe it through the bottom make it make red if this is done it passes it on to the next person which is gonna make it bigger and then the next one is gonna flip the box right that's exactly what we're doing so what we're doing is we validate all this stuff and every single one of these is gonna return me a user change set and it might have changed some validation rules right it's maybe said maybe you'd fail to hear maybe it failed a uniqueness constrained email and it was like yeah this email is already news so valid comes in and it's false right so this is changed said that we're having here looks looks like this right it looks like this and their word pattern matching which is really powerful [Music] I don't know what put changes we're looking down into that a little bit let me just finish this real quick okay so what we're doing here it's basically an if statement if you guys have ever seen if statement it's like if the changesat kind of looks like this do do to change right so we can say make the change set password to be dink-dink rent and encrypted version of the password that we're passing right eles else I don't know the syntax and elixir that well we just returned to change set because it was already like invalid or he didn't change the password or whatever so we don't want to make any changes to it if it wasn't valid we'll just keep it invalid that's fine that's all right but this this case statement is a little bit more powerful because it's pattern matching so if this change set matches with this pattern that is valid is true and changes be cool that there's a password in there somewhere we don't know the value of it but the changes contained a password so you have changed the password and then we're telling password let's call that pass pass pass yeah we can also make it password if we really want we can just make which basically turns it into a variable so whatever comes out of this we take it and we store it into this variable called password and then we run the code that is inside is this arrow after this arrow it's the block that we call and we say okay make a change to this change set for the field password and change it to whatever comes out of here so we take the common in library Rico to be correct and we hash the password salt with the password all right beautiful if the change that is incorrect the first pattern one match and the case structure moves to the next pattern beautiful ok so let's see if this works see if I were to go to the command line here I'm not sure if I have to restart or reload I don't I reload the thing I think I can reload or like re-import or something like that Phoenix or elixir reload IX IX as a mix cocoa beautiful beautiful this module gets really compiled I think you just say reload everything [Music] hmm also let me make sure that my life still doesn't get too warm and there's my left of always gets super hot alright here we go [Music] can I reload or something please alright let's first see if this works um what if I just reload user should be good enough redefining module curtain Louie the beautiful okay reloaded the user module perfect that's exactly what I wanted okay so if we were to repo that's create I think that's what it is let me check the accounts here raid user and we needed a user and then we need a user chain set and then we insert but I don't want to insert yet but so let's just steal this function right here it has comments in it hello def create user let's just copy this first line line by line this one and it takes this one and then you pipe it through this one and then you pipe it through this one and then we end and oh okay we're already in it okay so I can create a user now by giving us giving it a couple properties so I have to pass in an email and if I only send an email undefined function but I just created it here what the heck that's weird F hello all right I don't boots is it puts no I think it's print print elixir I can't remember how to print IO puts IO boots hello world enter and if outside of module oh god damn it okay sure module Bob Ross do deaf create user let's just copy this again user paints repo and and undefined function module goddamnit okay how do you how did you define it oh I think it's def module goddamn okay okay here we go one last time def module I'm not doing I'm not I'm not using enough elixir guys you can already tell user changeset answered and and beautiful okay now I'm gonna do Bob Ross dot create user and then I can pass email is Ross at Bob calm I'll get them expects params to be a map it needs to be this I can't remember too soon thanks man alright here we go okay so as you can see I tried to insert it so we asked the repo in this function right we asked ok create a empty user then piped true to change set so take this user empty thing give it a bunch of attributes that we that we passed so we passed it email is Bob Ross Ross at Bob calm that's great and then trying to insert it just just straight up send it to the database but we called this user to change Sam remember what we did in his users are chase set here we call user change that it passes the user and then a bunch of attributes see so what we did is the user is this one and we pipe it so the first argument is gonna be this second argument is going to be the attributes that we sent which is in this case this and then we map it we we can secure everything here so we cast it we validate if it's required and here is where probably we're broke because we didn't send a password see so we got an error it editin is valid false and we got an error on there so it says can be blank validation is required beautiful but you can also see that the changes that has changed Sat who our email set to this so if it were to actually go to encrypt password it would check if this is pattern matching with this change set so it's gonna check okay valid true valid false so it already met our already said ok this case is not matching I'm gonna pass but if it is worth to be false so like ok valid is false I'm matching right now I'm matching but there's another thing I have to match them which is changes so I'm going to check if the changes contain a hash password though I'm checking ok a map this is called a map a map password oh it doesn't have any key called password the map doesn't even have a password simple thing so it doesn't match it again so let's make a correct one so let's add the password and then we say hello my password is 1 2 3 4 5 6 7 as a string and now it should be valid but let's first before we do this before we do this let's Bob let's repo the get user work all sorry I want to get all the users again oh what interview I'll show you what I do [Music] do I have repo here yeah repo all user [Music] okay so we had already this email so let's try again creating a user that already has this email right so instead of this email I want to have a different email so we have all the fields so it pass it's passing that well it's missing a print and the ending print see here okay let's try and make a oh come on in bcrypt hash person has been removed heads did add it to your figure mix foul goddamnit okay let's do that so come on in is not the actual hashing library it's just a bunch of helper functions that you can use to like hash passwords and all that okay fair so in theory do we even need come on in I don't know if any coming in because all we're using is bcrypt right now okay so let's just add this one sure be crypt elixir fine that's next to this let's mix that yeah or something makes depth get all right beautiful says it a tattoo library to a new libs it added baked earth elixir and an elixir make which is probably a period of pendency sure fine whatever let's continue so instead of this we just use bcrypt directly be cured elixir see how that works [Music] come on Ricky how do I use this it says I must have si however where's the docs preferences no algorithms bad hash check pass same is coming in B crypt check Pass takes the user struct and password correct and password as input and verifies the password understand what come on in Dustin what is coming in even new if it doesn't do the encryption what is it what does it do what does it do password hashing specification for the lava ok specification for password hashing libraries let's just try it it you know whatever blowed [Music] the fantasy bcrypt elixir requires a lick sir something something cool whatever oh we don't have this function anymore hey let's steal it let's steal it again no want to ride this again so I'm just gonna steal it from here module def module Bob Ross do and I don't care about the formatting and on expense struct user where is the Science and Technology sub Lars how's it going thanks so much for the 38 centuries welcome back to the cat's community oh my god this is science in technology man okay I forgot to alias fifth straw cats repo heylia's just draw cats that account user now I can actually make this function there you go so we have Bob Ross we got on Bob Ross we can now create user paid user and it takes attributes so email is equal to what was that email that we had before repo get or all user this is the email so if we now do user bob ross create user with this email address that's a good password thanks man and password doesn't really matter because it will complain anyways but we cannot create the user count damn it what the I thought I changed it I forgot to save it [Music] Chloe doesn't have if they change the password salt okay sure hash whatever okay they changed this scene digs a little bit since the last version whatever sure let's reload okay so like I said it would error out because we had a validation that it was gonna check hey is his email actually unique how did it actually encrypt the password though is what I'm wondering because valid is true and changes his password but it is not actually valid they didn't even did it reach this code how was it already encrypted I don't get it that's actually really strange but actually hit this base line that is very weird because this change set what this change set is not actually matching at all [Music] Ector change that action changes email bah-bah-bah errors valid true how's it valid [Music] if the uniqueness okay I get it I get it I know why I know why I know why it passed uniqueness constrained it's something you can only check after when you hit the database that makes sense so it's nice and all but I'm Adam that I'm asking that I'm having this before but uniqueness constraint you can only know if this email address has been used before if you want to save it in a database and it just tells you hey there's already an email address with this thing right so we can only change it basically check this after we save so in theory we could actually do this afterwards yo house you're welcome back that you can submit for 39 centuries thanks so much for Theresa man welcome back it's funny how your one month one year longer one year older than L'Arche are you going to be using JWT tokens probably not probably just cookies encrypted cookies I don't know honestly we're gonna say we're gonna make things simple first if we can just make it harder later [Music] okay so it does make sense sure doesn't really matter to order uniqueness constraint will be last I think this makes a little bit more sense so just validate what a key what do you can do here and then move on to uniqueness constraint later okay so up until this point this thing has been valid so let's encrypt the password before and off the chain set and then save it right that's what we're gonna do [Music] why do you call your hash salt function encrypt I don't know made sense to me [Music] but it's true it's not really encrypting it it's just hashing it well that's okay makes sense to me whatever its semantics man its semantics alright whatever works for you lever Morris says again couldn't care less honestly I'll care about it later when I actually have to have to build it but first let's play around see if we can make it work alright so Bob Roz is already in database so let's do Bob Ross - password boom boom boom it says ok we saved it in a database and we now have pre PO we now have to who users so after validation passed we actually safety user and it's down a database this time around it actually is a hash password which is perfect beautiful okay that's nice that's perfect let's heck around and we we had all this you this this copy pasted or like generated we literally don't care let's make I'm probably gonna move this into a different file soon well as first make it work right that's the sole point so if I now were to go into the app are we scaffolded oh yeah we got don't have a list of users anymore alright let's just roll this back actually I think we can change everything back in this file beautiful okay let's roll this back so that our web applications works we now have a list of users in our interface which is beautiful and if I were to change the password to be Bob Ross it will be what what oh I did not import the library right like I need to import it here inside my user is that is that actually a thing did I did I need to do that I thought about I'd automatically imported everything all right let's see let's see if this changes everything [Music] what I thought I might just use bcrypt here let me see really confused bit crept yeah beaker of module look I could just use this everywhere but I didn't need to import it or whatever still completely new to just in thanks guys still completely new to the syntax alright are we doing anything special here [Music] [Music] mmm-hmm let's research a server it might be because of that we didn't research a service so I don't think it has this thing you need to restart your server whenever you update dependencies that would make a little bit of sense all right so users like to edit bras Bob as the password we get save and you see we don't store our passwords plaintext anymore and whenever we change it it up they did and they rehash the password perfect all right beautiful that's great that's BA so we're not storing our password plaintext anymore that's perfect that's exactly where we want to be so let's get rid of this password and just copy and paste and restate it oh wait we have to change it because people check it will see that it's that it hasn't changed there you go is it back [Music] good so we have no passwords indicatives anymore that are not encrypted or that are not hashed sorry Lars I said it [Music] alright so let's make a a news accounts let's make a function at the top it let's do it authenticate with email and password super long name hell yeah dude and it takes I think it takes a change set or like say how do you do that like this right is it percentage percentage yes okay what's it that's percent yeah yeah okay it takes email as email and password s password and then we're gonna do did you do more back in her front end I work as a front-end developer but I love doing both it's just the context switching is not helping at all alright also they they date in this blog posts actually made a different change set just for username and password cuz in theory you should never be able to just we don't have to encrypt the password every time or hash password every time and if you keep this change it the same you don't you shouldn't be allowed to send over to pass right every time and like that but that's okay I think you already implemented something like ah [Music] all right they're doing this Baba all right sure nothing negation should be death that's hard so what we should do is repo get and then user or we can make use of this get user actually can we notice is by ID what we want is we want to find a user by its Iman password which is exactly what we're so get by this feel it can fail sure because when it fails sure I guess I think this is something okay so changed we're gonna get by email is email and password is the decrypted whatever the bots are way around sort of thing right that's how that works Beck pass yes Asha's defender with a randomly generated salt verify password takes a user struct and a password as input and verifies the password gonna be broke now finish my call a college inlay like June May and I'm eighteen only beginner really which front end but might have scored a job as developer for a local company called IPOP digital any advice for getting better or being in the industry um if you want to be good if you want to be good the best thing you have to do is to know how to learn and the best thing is is to keep always have an open mindset most important thing always have an open mindset have a in my opinion I look at myself and I just always treat treat it as a having having a beginner's mind set is always the best in my opinion like um don't be afraid don't be afraid to make mistakes don't be afraid to look back at your code and be like okay well I up or like that's fine you know I think it's actually really good to up and don't be if anybody ever tells you that it is wrong to up I think that's wrong please up please off please do this module Zuma password hash behaviors providing the following functions bad hash why don't do I have come on in if this does exactly this whatever anyways verify the password no user fair fire runs the hash function but always returns false but oh every now and then it does this it's really random go for guys when you can't get grill you know all the guys are here because they know you single what the yeah let's let's see how does work be bcrypt dot check pass thanks a user I don't want to I don't have the user yet it takes a struct ray I guess just this pressure mark is that how I make a struct something was said it was something like this right here is this it this is what I'm supposed to Adam noted I think I'm supposed to send him a user that is actually a user by email some remarks hey send me something [Music] I'm just scared to click on the link man please that's a spooky Ling [Music] the free host built-in fancy-free and feel me okay give you yes whatever um did he come here with great wisdom her visor password what does this take them [Music] passwords stored hash oh yeah that's what we need password no way we get the user by email is that actually what you do you get the user by email and then you actually that's probably what you do yeah all right so we can just do be crits if we return it be be crypt the check password what does it even return what does this should return [Music] pulse what does that mean as random okay let's verify to pass if this do else I don't know what we're gonna do let's just first return true or false sure yo ganz oom thanks to Richard follow the rosary no good catching a stream of yours again been a long time thanks man hey continue to music please thank you okay I don't honestly know what the we're doing but that's completely fine I literally I'm completely fine with this okay so it is thanks yes oh this takes a password we can use the other one right heck pass user struct and then a password that sounds good to me sure let's do this let's call it okay let's make it a quick page so we can log in templates user login of HTML UX that's copypasta create or something [Music] it's a forum alright login and it's gonna take a change set and then it's action but alert whatever Senate email and a password and we hit submit and we send it to what is this magic okay it's not magic guys it's not magic okay so let's create a route let's create a can't login normally you have a session controller but I'm just gonna be lazy I'm just gonna shove it into the user controller real quick login action all right let's just be hella lazy guys that's that's exactly what I am okay new plug-in on params do and it's probably better if I just created this session controller but it's fine all right Shane said we're gonna need this do we really need this whatever and destruct render render logging that HTML all right let's see what the happens when we do this plugin breaks because action is not available in the EA expand play oh wait I see already so in a new you pass action but a science where does this come from what the is this render form map put assigns whatever the that is and in action okay supposed to change this sure man can I see my routes abort mix Phoenix routes beautiful and do I have a path for this user path user Pat login all right beautiful exactly what I was looking for it so log in action nobody would like this I don't know man we're gonna see login is this work [Music] render to is undefined user feel okay that make sense yep okay that's fine views user view accessor is that okay oh [Music] my god what is happening user view is not available user view it's right here the are you talking about [Music] [Music] hey honestly have no clue what I'm doing alright form for it it's magic man I love magic hello what is happening oh no I don't want to open okay form for elixir Phoenix what kind of magic does this do show me the money routes oh this is just oh you don't need to do add an action okay okay like this like this alright very lekker refresh still broken why is that broken I spent seven years in Ruby and rails moving to elixir was still challenging lots of little confusing things no matter how familiar right it's exactly my my feeling man is exactly my feeling your feeling your feelings are my feelings bro having spent way too much time in Ruby on Rails bought soma so oft so much with the framework so much it feels it feels way better set up honestly if I'm completely honest it feels like it is properly set up like Phoenix compared to rails in my opinion but it's still it's still a little scary sometimes but you have to pass con oh you have to pass Kong that's why the view is breaking I think hopefully beautiful yeah can you answer discord DM after stream so things can be settled see you tomorrow all right get you ladies see you tomorrow yeah I'll check out the dam okay so this all should we're posting to this - okay so okay fine whatever [Music] and I is this convention logging create I want to know if something is if there are params wait how do I know if this is a poster of s oh here like this if we're sending this to the same oh my God look at this guy's it's gonna be amazing it's gonna pattern match guys it's gonna pattern match oh my god is it's gonna I think this needs to be above then oh my God we're pattern matching boys oh look at his go wow that's hot okay accounts the oh here we go look at this look at this amazing does it yo again zoom do you know if if I if the order matters or not because I used underscore here but does that mean like oh okay let me first check if there's other cases or doesn't matter it's like is it uh dependent on the order probably is account so let's do it let's do it let's do it let's do it where does this come from oh this I just named this user okay that's fine sure sure sure so it takes out user from the Bram's and then I put it in user params beautiful the order is important to avoid recursive issues the only in cases for you or your cats all right okay let's call the function oh my god this is gonna be a magical moment guys or make the most hacky authentication ever in the world but that is completely fine because we are hackers okay I hope I get okay user back if so I'm just gonna redirect you back to whatever you are logged in even though you're not logged in because we're not setting a cookie at all we're gonna redirect you to this show of the user we're just gonna do exactly the same thing otherwise go back let's see what the gonna happen so I can't even remember our password but I think it was Bob Ross and Bob Ross calm ten one two three four five six no post found option rip oh that's right that's right we didn't set the router post no function clause matching oh that's right that's right that's right that's right in fact it makes sense makes sense we're getting a user here very taken we're getting a user here but we have to set let's make a very bad of this oh my god I already started writing JavaScript all right sub sky gold how's it going long time to see how have you been girl cuz I started rapping there I only have some experience in Python so this goes over my head oh just continue man so ask any questions you have feel free doesn't matter what it is Prudential x' equals and then we're gonna make email user dot params on email does that work I don't know we'll see really curious password is user params what what are we sending actually old up password password password what are we sending called with arguments email password attempted to go with this this is exactly what we're sending right no oh there's strings is that the difference is that really the difference [Music] so we match did we pattern matched in are you accounts we pattern matched on no strings let's write it bill didn't work so we called it with this and then we pattern match this which to me looks the same no oh wait no huh yeah let's go here again Bob Ross at Bob Ross calm one two three four five six login [Music] is this is outdated they did not refresh my code wait let me check him to refresh is my code IO dot boots hello world they did refresh my code how is this not matching no function closet matching district has significant password I thought alright let's just take whatever the we're sending Yolo and then we'll see IO puts Yolo it's undefined accounts is not available I think it's because it's not compiling because I'm doing Yolo done email okay all right we hit the we hit it we hit the function we're sending this this is what we're getting let's copy and paste why is this not the same looks the same to me oh here we go here we go no password hash fountain users Shrek all right that's what I already thought because they have this convention and come on in to use password and the score hash but we use password field yeah we're shitty like that so what we're gonna do instead we're gonna use the other function verify password [Music] and it should return true or false but we're still gonna go get an error I think it's still gonna go to error actually we'll see baby's just gonna throw an exception because it doesn't define any matching case I think that's what's gonna happen argument error what does that mean oh that makes sense this thing takes a password and then the password hash no claws matching true okay that's a switch case here to case is it is it common is it case Colin I can't remember what it is ace do when it's true if there's probably a better way than doing a case here but okay user butter this isn't this isn't it just an if-else I don't know I don't know what people do error and then we're not matching on this at all and then we get the error or something I think the issue is user might be no right oh that's also an issue here no no we're banging for banging boys we're banging we're breaking exactly we're just trying an exception whenever it cannot find a user that's actually wrong good sure okay let's do a hello world how do I get the error here though whatever comes out of here well there's no error coming out of here whatever bro that's a weird case but sure I did it we're logged in [Music] well not really but let me be fine if we fill in a different password it should say whatever bro thank you thank you thank you far too kind we're doing stuff that's great we're sending okay so if well we're going back to new we sending the user back to neo that's not what we want we want to say send him back to login but with an error message right but should this in this error beyond the that's alright we have Doc's on this to actually you know what can actually read the docs on this where is the docs here session controller create authenticated by email password we're not that far off guys we're not that far off it's asking account Athena gave an email password ok connect put flash welcome back put session and figure session redirect otherwise unauthorized oh we can just do that yes I'm ok with that actually if our account service is false we just give him back unauthorized BAM and then you can figure out into controller what that message is gonna be no buzzes do put flash on boots flash error bad but the error is gonna be air or an authorized did I spell that correctly look at his go chat we're just building user path show whatever brochure actually we can just take whatever they did here and steal it [Music] configure session trill okay look at that boom doing exactly what they did we're so Pro if this then do this and then we're gonna back to session path no we're going back to login that's what we're gonna do I'm liking this I'm liking this this is looking good routes I think we already have rats included no no we don't right login path is it logging path I think it's actually I think it's user users path and then login because we put it into this shitty thing all right let's see this works oh my god I'm so excited Bob Ross head Ross Condit doesn't exist I think that user so you're right it actually broke on the fact that it couldn't find a user so we shouldn't used a bang here that's the song oh it doesn't actually show the current song when you're a guitarist but you listened to lo-fi hip hop ones I'll send it to you damn I thought all along you guys couldn't even know what song was playing sorry guys guys it's got jebaited okay so this kind of sucks well should I pause the music till then the stream becomes so boring this streamer man I'm so boring okay so [Music] [Music] makes a password as input and returns a map containing the password hash makes a password is input turns a map containing the password I don't understand I don't understand one thing chat [Music] we're mapping we're hashing our passwords with a salt where's our salt is the salt is this solved literally password hash is that actually what it is but somewhere in my application I have to add in hash wait let me try something let me try it hold my beer chat hold my beer okay let's say I create a password hashed password which is bcrypt dot ash ba-ba-ba-ba-ba-ba-ba ash password salt with Bob Ross as my password boom it is hashed if I want to verify password no wait [Music] check pass ash key the key used in the user struct for the password hash what is the salt sauce is random data what it is is random there oh you're not talking to me you're talking to Kasia right right and that base beaker bass hash password function ash password function but where is this stored something goes wrong if this is like I'm really afraid guys I'm really confused where is this data stored this salt it needs to know about this salt somehow right during the lifetime of my application and if I store it in a database and then when I reboot my application and the salt is different they'll be really fast messed up right because then I can never login to any of my passwords and or any of it Matt counts anymore I'm a little confused we're dassault is it's random data that gets hashed but how can it reef Arif I to password them if the hash is different every time like if I do verify pass I assume what it what it's gonna do this is gonna hash the password again and then match if it's the same right no bet on what it is and I've if I've been doing this all wrong all the time all along you only get a new every time you guys what I mean but where is the salt it's not a memory if it is in memory if it's based on time is wrong new one every password yeah that's fine but if I somehow it knows what salty use for one password right apparently then if that's the case like if I do check pass be crit that check pass hashed password or what did you have to sent what takes you users verify pass verify pass which takes the Hat the password Bob Ross and the hash password and it somehow knows Watts salt to use to match this string with this value right but somehow it knows which salty is but I don't know where today's if I close my application will it still be the same if I go and exit now abort and I reboot I yes and I do another hashed password call the password is the same no it's not the hash is not the same it's not the same the only the first part is the same this part seems to be the same and then when I fara fie password which means that if I worked if verified this password right here it should also match it shouldn't really but it is also true what character Security's fun right what the but and so what I'm so confused what I always thought was this is what is happening you have some secret some applications secret right you have your secret that's why you're gonna encrypt with that's your your secret so you're gonna do hash with bcrypt or whatever you you've hash your you well it's not encrypt sorry it's not encrypt it is hashing very Lars makes a string Bob Ross and it hashes the password with this secret or something or I pass a secret myself sure and then it returns me there's like hashed password sort of thing which is like blah blah blah right I saved this in a database but the secret remains the same the secret is just somewhere in my environment variables a secret that I would never change because then if I changed it all my passwords I'm validate it right so then I can do be crypt that verify which is gonna take the hash pass this string like Bob Ross to hash password and then this salt right the salt that I use because otherwise it cannot compare if this secret is different it's gonna it's gonna - this string and it will end up with a different password than the one that I that is hashed in a database because the secret is different so it's encrypted with a different salt right to make the password unique decrypt I want to know I want to know about this based on the Blowfish cipher [Music] [Music] shadow password record the previous Bulova in a hash string in a shadow password fowl indicates that hash string is a bcrypt hash in modular crib format the rest of the hash string includes the cost parameter 128 bits salt 184 bits of the resulting hash value okay let's say you have a password you have a password 1 e 1 B 2 B 3 can someone else chooses the password one is pastured they will get plastered 1 b 5e 6 and 78 [Music] oh that makes sense I feel of the same password you would otherwise have the same hashes if you were to use one secret so to speak where does it [Music] if you your password is stored with a unique salt than a precomputed password hash table targeting unsalted password hashes or targeting an account with a different salt will not aid in cracking your accounts password [Music] Nik salt yeah yeah that makes sense yeah it needs some sort of common structure right it needs some sort of common commonality if that's even a word the algorithm boys here we go we're going in we're going in boys yeah I already don't I already don't understand and we're out again yep yeah all right good good story good story there must be some sort of video on YouTube about this oh my god I'm using a guest Network when I'm streaming but God didn't know YouTube was that bad when you first go here so now go bcrypt explained oh you guys can't hear this I don't think you guys can hear this um let me play it on my mother how am I gonna show this all right let's pull this one out be Krypt explain alright can I read the chat right now how do i stream yeah exactly window capture browser oh it's black god damn it alright so that's not working let's do display capture them we're capturing my second monitor you guys are gonna see an infinite loop guys oh no my main monitor ah infinite loop how it protects our users from evil hackers and I'll stagger isms are like around little you do it it's a very useful property yes but it is yeah we know about this - back to hello these other hashing algorithms do the same thing they're all the same they're all decisions are these two are pretty fast but bcrypt is designed to be slow and that's a good thing it protects our users from deadly hackers recently hackers can be slow gonna kill cuz sometimes our databases get compromised so let's say we have maybe a couple users we will call them Oh actually I know what I can do hold on let me remove this later boys I know what I can do I'm gonna watch it with you guys on my main monitor I lost the window now okay completely lost the window and they signup for our website alice is smart Alice signs up with some random password that she does not use on every other website well Bob Uecker boy skies Bob uses a password that he uses on many many other websites as well now when these people sign up for our website we had to store their passwords in our database oh no this is our database our users database we have user ID we have email and we also have password so when Alice signs up we give her yeah yeah yeah yeah no no no this is like a password now it change these real quick him because our many yeah yeah yeah yeah bastard plain text bad bad bad we don't want to do that you can really guess it's nearly impossible to get from here back to the original guess Court is called a password diabetic nobody can really guess here we go here we go no password in practice this hash of the password is called a password digest assuming this is a password so let's change this bcrypt to generate some hash so it's a much longer trip hash is probably gonna be around 30 50 characters and now even though the hacker has obtained this list of passwords and emails he doesn't quite know what this original password is he can't take this and then try it this video is not gonna explain this anybody out because it's not an actual password it's just a hash of a password so far we know right but even this is not secure enough what hackers have done is they use what's called douche in a dictionary attack and what they do is they take a list of common passwords and they pre compile their bcrypt hash so for example abc123 let me in password they have a very very very long list of common passwords and they just they generate all the passwords these are all fake hashes by the way and now what the hacker does is that he takes these password hashes this is the password digest he compares them with all the ones he has and if any of them match up then he knows the original so this is not completely secure either for those unfortunate calming users so instead of just hashing this directly what we use is called a salt password so the salt can be anything we want we will call it I saw it myself yeah it's just a string and the idea of a salt is that that's one end of hashing the password directly you hash the password plus the salt yeah and then you store that instead so now this will change it's making this up again and this will also change you know we're storing abc123 because we combine it with the salt before we compute the hash this will no longer match with exactly so our businesses this is all the knowledge I know this is as far as I knew this is exactly what I said right having a salt making sure that you know it's encrypted in our way that we only know about one thing I forgot to mention if the hacker compromises our passwords he also compromises our salt so the hacker can take that salt and then generate another how does it how does he know if the gets tarantino's our salt or safe one thing i forgot to mention if the hacker compromises our passwords he also compromises our salt so the hacker can take that salt how does that pass generate wait does anybody know how this is possible if they find our password huh okay I don't know actually there's story assault with the user well that would be one explanation but that'll be weird right all I'm saying is like if I store my salt in an environment variable on the server if they compromised my database they probably have an environment variable that's true if they well if they if they get onto the if I have my database somewhere else and my application knows about the salt but my database does not know about my salt and that's fine it's all there's unique for every user though well that's the thing right that's why I think that's why I think you should have an application secret and then you can also salt per user I mean I don't mind do that another dictionary and then try to get all these common passwords out of our database however this is the point where bcrypt becomes especially important remember that bcrypt is designed to be slow because it's slow creating this dictionary will take a very very long time if it was instead a fast hashing algorithm like md5 the hacker could create this in like an instant but he can't because we're using bcrypt this will take too long to be anything meaningful so that's the whole reason be crisp is designed to be slow what this is all the information really this is exactly as far as I knew it I just wanted to understand why if I if I go back to the code why is it that if I run if I kill my application and a run be crit on a string I get one string here I run it again I get a different hash the password for both hashes still work how's that possible where is this date where is this data coming from and here we go to be elixir bcrypt all right now look at the source code [Music] [Music] [Music] hash passwords salt when bite-sized salt is is 29 the salt must be 29 bytes long [Music] okay okay okay okay that's the base this is the public part here it is ladies and gentlemen here it is no it's not generate salt key word gets options law grounds what is law grounds the computational cost as numbers of law grounds default is 12 so be curved is only effective because hackers are impatient [Music] I'm still I'm still missing something [Music] binary Binta list generate assault the use of avala log around parameter determines the computational complexity of the generation of the password hash its default is 12 the minimum is 4 the maximum is 31 legacy option is for generating salts with old cash dollar sent to a to prefix only use this option when if he needs to generate hashes that are then checked by older libraries base gen salt NIF alright let's go back to base what that is printer it's salt for use bcrypt makes a random in the law grounds the miner [Music] I've never seen this syntax NIF error are you studying this no I'm not but I'm just generally curious I did study this before I'm still like I can't wrap my head around it I can't wrap my head around it I still cannot [Music] [Music] [Music] ripto strong random this is the crypto is the elixir crypto strong random bytes let's call this let's see what the focus does [Music] I just don't get it then I'm just too dumb for this crypto wrong bytes this is by the way this means that we're not even touching a lick sir at this point we're just touching her lying so elixir compiles to Erlang so if you're doing this I can't remember what this this thing is called but we're not hitting the crypto library like this though is there a crypto library other is wrong Rand bytes it's not a thing but it's crypto this is basically from from crypto airline [Music] they should have like strong random bytes function C generates n random bytes randomly uniform 0 to 255 and returns the result in a binary use a cryptographically secure PRNG seeded and periodically mixed with operation operating system provided entropy by default this is the random bytes method from open SSL [Music] all right there's also Chris the crypto randoms rensi rant see and then we get a a map back which gives us bits ok I don't know what any of this means but yes totally I like it sure I guess I'm still really confused I'm still really confused somehow it knows how to decrypt and every time the hash password function is called we're calling it with another what is hash hash function ash ash sniff binary bin Tullius password Mentalist salt [Music] it's Python you're you're not supposed to understand this but this is not fight and it's not fight them is this elixir up syndra I was a gun how was your stream man load knit over line the Erlang Biff's what the is this I'm just diving way too deep guys I'm diving way to D what is happening the P carrier I'm just diving way too deep self yoga this is a bad idea well Athens is what they're called little by convention most built-in functions Biff's built-in functions are included in this module while we're in the airline module but we're loading it so we're looking for blowouts and links a dynamic library containing native implement implemented functions or a module path is a foul is a foul path through the shareable object dynamic library file - the OS dependent file extension doesn't even mean what does that even mean okay let's continue yo we're diving way too deep but I'm really curious you got three wins in a row bro subject ah I feeling better yet [Music] didn't even notice that big that big airline logo it's a right man notice that on most OS is the library has to have different name on disk when an upgrade of an if is done if the NIF name is the same but the content differ the content is different the old library may be loaded instead ok that makes sense but this path is the path to dinner but this this loads in a module like OS operating system specific modules the Esso files and dll files think hopefully how do we get here again wait how did we get here again we saw him that i think we saw it in here load nip yeah load NIF file name join coat privateer bcrypt elixir oh here we go we're onto something oh my god we're onto something I want to see the path name my code build dev lip this private be crib nip let's open it let's open it go we're in we're on to something guys holy [Music] oh my god what is this and I'll be shown because it's a bits of binary where are we for independencies bcrypt elixir that's just a native inhalation of bcrypt it be there's a sea foul [Music] but don't align bigger is derived from OpenBSD okay this is the native implementation of bcrypt so NIF is this native this is C right yes sefa this is it right Bikram yeah this is bcrypt we've got the source of bcrypt Oh Lord [Music] Blowfish stream two-word cipher text you need to accept that I want three games in a row anyhow have a good time hang out here again I don't know nearly enough it's okay man it's okay catch you later rosary no thanks so much to stop by umm okay we're diving real deep what is Blowfish Blowfish like an algorithm I think think this before Blowfish block cypher Oh God this is something we shouldn't know about but where I'm gonna look and just out of curiosity I'm just looking at it anyways I don't want to understand I just want to look at it and be like impressed it is look at this man anybody's gonna remember this okay I think I've seen - no alright alright so in private what is this what is this phone okay this is the Mac version I think is the Mac version of bass so foul that click this what is it open it they open in my terminal I get whatever okay turn makes ow what's in to make fo the N any FS are here this is the sea source that makes sense we're loading it okay I think I understand [Music] [Music] that's me though may call is gonna do library name bcrypt Nick create a private folder then called and then calls CC with Huck ICICI okay see flags and then a bunch of flags with these flags okay sure whatever whatever perfect totally I'm fine with this man I just still don't cannot really understand what this is whatever need to know watch another video cuz I don't get it I get it what he explained I just don't get how can I run yeah I don't understand it's his system see people about thanks so much didn't know about that is it like a global if I were to exit this si Lang oh I see si yeah Oh Coco I say you can do like you can check where something is Wender where the binary is right find binary or executable or something which which cc user Ben [Music] there's it laura kc c or does it not matter IP to CC or that man yeah so it's laura kc c as well it doesn't matter they decided proper case I think si Lang is just pronounced que lang by the way really those nuts si lang it's playing lang is it really a cult plane you pronounce it is playing really alright interesting yeah I still don't get it as much as I want to understand how this works I still don't understand how this works but this is just calling this this NIF part is just native basically calling the actual bcrypt c-code regenerate the salt based on the Lok Lak merit log grip move to complexity the computational complexity let me greet it on streem [Music] hello LLVM errs I just wonder how I can pronounce si Lang si Lang si Liang Liang k Lang if you're pronouncing it cool when was this 2008 plank [Music] we've been pronouncing it key KL next part and non-text attachment was scrubbed [Music] that's a that's an actual character yo welcome back to the kids community thanks so much for Theresa can we get some one of us in to chat I also got me a shout Steph out an amazing streamer have you been girl look that's an actual character [Music] what the all right we've been pronouncing it CLE cleaning playing mommy being girl playing wow that's actually weird I can't I don't want to think about that I don't want to know about that at all okay so let's just continue so on load load myth all load NIF which is gonna do call bcrypt myth which is basically getting this seat Erlin compiled one which is build by the make foul I think so in here is a make file which compose which basically makes an Erlang version it internally calls this basically is a compiled version of the bcrypt versions where's that though is that these two so it compels this in the make P private so this is a compelled [Music] sea-fowl be cripsy file is that correct [Music] oh yes that is correct shut up Ritchie alright alright I think I understand okay but that doesn't explain everything that still means that I still have to understand bcrypt before I want to understand how this works because I will not get the answer to my log like my logger.log complexity question here law grounds law grounds bcrypt [Music] be current logged complex city [Music] recommended rounds of bcrypt no I don't want to know what this it should use the maximum number of rounds which is tolerable prop performance wise in your application yeah I think that I'll just keep it a default all right for some concrete numbers you suggest a reasonable goal would be for a password verifying hashing it takes 241 milliseconds per password well most initially wrote 8 milliseconds which is wrong is a figure for our patience of one day and instead of one month that still lets you verify for passwords per second more if you could do in parallel almost estimated that if this is your goal about 20,000 rounds is the right ballpark in theory or my application I can actually probably put this to the highest amount logging in would take a little longer does login take longer I think so right yeah Logan takes longer yes I think so too oh my god because well I know I'm the only one logging in so I think I'll be the only one logging in I think that [Music] I wouldn't even know how long it would take let's let's try it out let's actually try it out how long would it take if I put in the highest complexity to verify one password I think we have two BOTS industry / true law grounds on fig and I change that here let's put the law grounds - what was the highest we could be gonna get highest was 31 yeah I don't I don't think it knows about config but I think the conflict is set on thick top here oh there is a secret key bays already so is it using this then or no I don't know guys okay part part of it was public so let's see blog arounds Jen salt [Music] bass yeah let's get the bass and then just call dysfunction with our own Jen salt with a log of whatever okay that's alias the bcrypt bass and then we call hash password quit a password okay let's first create the password the password is Bob Ross that's our password and if we call based on hash password hashed password equals hashed password which takes the password and then we have to Jen salt bass dots this is a public yeah this is the public so I can do bcrypt the gin salt calling that with law grounds so this is the logarithmic complexity which is gonna be 31 because it's the highest and then legacy falls which you don't have to pass because I think it's ready filled false yeah it's pretty filled false so that is all it takes pick up Jen cell is undefined or private would you mean any of Jen's salts [Music] wait I thought I did that oh I just forgot the underscore oh my God look how long it takes yo why is it taking so long well it's a it's a 31 complexity oh my lord the hunter business is CPU usage right now it's trying so hard to solve the password all right this is like taking forever it's definitely not 250 milliseconds oh will it ever finish I don't know how long is gonna take 99 percent 100 percent bro some paper blade has gone are you programming your kick bop was my own I cut my cake buck no please I'm not kicking anymore guys and show you guys my badass kick butt oh alright I don't think this is ever gonna finish abort all right we're good let's try it again that's alias bcrypt again let's figure out how slow it is when we lowered the thing a little bit the normal default is 12 everywhere to do password Bob Ross again but let's first just do a bcrypt base or base mash password is this Bob Ross and then bcrypt bin salt let's okay twelve let's start with twelve that's just like pretty easy that's like really fast that's dude eighteen great four five six seven eight nine and 11 12 13 14 15 16 17 18 19 20 Jesus okay this is already taken about 21 seconds to generate a password and then if I want to validate that password that will be checked if I think is a private one right let's say base check Dave Beck paths new which is gonna be exactly this [Music] I'm gonna take Bob Ross and then this stored hash which is this crazy of a hash right here Oh three or five six seven eight nine 10 11 12 13 14 15 16 17 18 19 20 21 that was correct that is true yeah so if it's zero it's true and it's something else then it's possible the pigs okay so a complexity from 12 to 18 which is 5 up basically went from well maybe 100 milliseconds to 20 seconds to ash a password this took like seven hundred milliseconds or something that took like one and a half or two seconds or seconds he went from 12 to ^ twelve iterations to two to the power of 18 there's a lot more in astro the power of 18 it's quite a bit more a tiny bit well how much was to ^ third 31 that's just unusable Jesus it goes through this amount of iterations yeah I just don't understand I still don't understand this but it's definitely interesting that's like Mex in territory and see probably yeah could be what programs languages do you know the ones I've worked with our PHP Ruby now that I'm thinking about it it's all like super dynamic languages PHP Ruby JavaScript elixir the more I start talking about this the more random it gets [Music] I'm sitting at the bed before I pass out of my keyboard good night you know good night everybody thanks so much for stopping by of Cosi holy how are you doing man okay so in theory I could actually crank up this password just a little bit this one the config I could just put up I can turn up the config and set it to like I don't know I could probably set it to 15 was 15 fast enough one to two seconds three seconds to login it's probably too slow right I think 14 is still fine like one second about one second to login that's alright that's just to create the hash password and then if I wanted to I wanted to check that password hashed password and then I scooted something random then took about one second yeah the time should about doable every time what do you mean by boy oh you guys going to sleep as well good that step thank you so much for stopping by submerge sheet good night everyone increase increase will double the time yeah yeah yeah that makes sense [Music] thank you for spreading your wisdom well you were going to bed no so when you went to bed everybody went to bed so I said have a good night and pass out on the keyboard oh wait I was reading wait which is all good I should go to bed though cuz I got work but let me commit my code and then go to bed okay we learned a lot today we're learned of a bcrypt that I still don't understand how to it works right now wishing you good day night now I go baited alright alright we learned today [Music] how in the shitty way possible we could set this up what is working which is all that matters we didn't really split up our domains well enough but that's okay it's working do I really need to come on in actually let me check do we really need this isn't just be crypt enough mix make steps get ha my name is still in there okay and I'm awkward I don't condone con artists cowboy yeah men cowboy I can remember what that's for actually okay I think that's a web server the cowboy web server yes simple fast small fast HTTP server for urlan elbow is a small fast and modern HTTP server that's what it is it's a tiny web server small and fast sounds familiar feels bad man my life um okay okay okay okay okay sure sure um [Music] here we add Docs here you know what let's commit this and go to bed let's do it oh this thing still breaks this one still breaks let's check this it's doing really nasty and super imperative instead of doing it the right way so the mixer just made mint oh what the fun three days ago oh right cursive I was gone mean is a low-level HTTP client that aims to provide a small and functional core that others can build on top of Mina's connection based each connection is a single struct with an associative socket belonging to the process that started the connection there's no extra processes are started for the connection you can choose the process architecture that better fit your application okay I don't think my version has this is I'm a pretty old version let's see let's say Mint is defined I mean wait that mean means is there wait let's try this yeah I think I can just do Yolo bit below and it was yeah that's what I thought it doesn't actually mean that the modules there yeah he's not exactly my my version is a benching and image image manager been doing this today waiting for three hours love Connor has a gun cool that's nice men may seem comfort cumbersome to use the most other interval areas you used to and it's true in many ways but we're providing a low level API without determined process architecture good uses for mint is gems stage the specification for exchanging events between producers and consumers and yeah I don't know I don't what any of this I'm pretending that I do but I actually don't I do what they talked about before I don't know what the benefit is big this part I still don't know like I mean I get the there's probably gonna be a lot of libraries building on top of this now but I don't know what the alternative is I guess air lungs thing which is out boy it's probably what a lot of people like I literally just googled to cowboy it's like every single time you do your programming something that's just what you do you search for cowboying and you realize that that's just a way to generic search and then you find something there's like searching for a lick sir we're probably not well it probably find the language for me because I'm a dad but it used to always give me other Oh it started like googling elixir images and then you will just get the random elixir yeah cuz I wanted to show the language same for Ruby I think I think you might not you might get the language yeah you do [Music] you just be happy for once to see me it's weird man effective BAM first version of Minh just has just been released an experimental library trying to try a new approach to building HTTP libraries so don't expect a full stable API yet cool that's exciting though the optimal an optimal number of rounds will change with your processor ideally you would benchmark how long it takes on your processor and choose the number accordingly I want to try something it shouldn't it shouldn't work [Music] yeah it shouldn't work should it work nothing you should alright let's try it if I hash a password Bob Ross no actually when I when every treif the password here again the hash net no the check NIF which is in bass over here check pass check pass check check a sniff what does it even do I guess no I don't understand what the is this what the heck whatever okay so we do some sort of like binary comparison here but I know Farah fine I don't know what this does I go here and it's just two methods [Music] but this one doesn't have an implementation I don't know what that means this one also has that anything with Knuth is this is that just forward forwarded forward it to like means it pass this is true so it goes to the next one which is also the same so this is just for documentation purposes they're saying you can either do this what are you gonna on theory you could just send anything mm yeah okay to make sense but then it does NIF error not loaded which is not true only when these are empty [Music] I don't get it maybe because your load the nippon airline it will just [Music] they've a load this NIF let's do this I think it's already loaded a support first [Music] yeah let's Lotus nish [Music] it's not mesh if library your module name elixir bcrypt base right okay I see I get it now I get it now I get it now no no okay I get it dip the compound's version or the Erlang compiled version that was in the dependencies here geez I'm learning so much about internals even though I don't even know the basics we're just going deep into the okay let's go back to bcrypt by that [Music] no wait this wasn't a folder that wasn't right was I I was in a different folder oh here lick surges or cats naps because here this is where I was but there's also a build folder which contains the beam the elixir record beam stuffs that's the Erlang stuff what is this didn't you like me to work in the morning yeah yeah but I'm just Alma I want to understand what I understand what this is [Music] but that's true I really should go to bed right because early sir if we go through that make file we were compiling [Music] yeah so we're compiling something for early or using Erlang I don't know what to flag the C flag is but we're passing the Earling path through it so I assume that it's like compiling an Erlang library with the seat lying inside that then uses the same nice namespace as this because when I imported it you could see that it's not matching the same name right so it's saying I want to load this Erlang NIF inside of the global scope but the library module name is bcrypt base so this can only be imported inside beaker face which is exactly here right goodnight have fun tomorrow you'll cancel a judgement thank you so much for stopping by do you enjoy tomorrow as well enjoy your sushi man [Music] so it's it's loading an if foul or erlang that has its own module prefix elixir be curd base because everything in lick sir on the Erlang namespace its prefixed with elixir when it comes when it's based when it's built by elixir so in order for us to use it we would need to if we were to make an ER Lang module that we want to include we would need to prefix it with a lick sir then match it with this so this library has a module which implements this check pass NIF and if you don't pass anything it will trow an affair not loaded so we would need to know what that compiled version looks like i wish i don't even know how you do that is it in here [Music] see sources in here check ass oh here it is but it's coming from C Erlang NIF funk this is a C NIF or Erlang because look here check fast Erlang NIF in it here it is Erlang NIF in it elixir base and in the NIF functions here which is narrating [Music] of ashes which then maps versus a tuple or something I don't know what this is gents Alton if these are native implementations but this just passes I get it we did a so this is checks the native bcrypt if which is the BiPAP bcrypt check past this one which is going to do all this and it's taking the arguments from the Erlang environment I [Music] want to see the complexity though oh no that's not in check pass check pass it is in then salt that's where it is the inside gin salt we take complexity blog rounds here why am I even doing this big rip in its salt yeah so here checks if it's bigger than 31 then use 31 so you can Theory still past 500000 it would just like go back to 31 and into into this salt plus 7 and it would start with the prefix [Music] is this printf what is this right 4-minute output this size buffer yeah I don't know what that a this means and then the basics Franco which is gonna do this every time no it's calling itself or not whereas is using these law grants salt bcrypt salt space plus one so this is the salt plus 1 and in this string that it needs to format 2 and you have minor which is an end [Music] wait this is doing a lot more ash bass [Music] oh my god I'm supposed to be in bed already but I'm learning so much ridiculous corby q-function yeah here it is oh my god what am I looking at what am I looking at like a kid in a candy store I want to figure it out computer power does not Inc doesn't increase linearly to to the power of X should be fine not willing to leave because he's finding all new exactly I'm such a nerd man oh here we're hitting Blowfish [Music] what is this men what am I even looking at [Music] [Music] and him tamara's I it's I'm so tired that's bad time yeah I'm just looking at all these I'm so like flabbergasted by this what is this this is the hash pass and if it did finish it returns zero otherwise minus one [Music] you keep going you one remember oh that's not true that's not true alright yeah let's call it let's commit this code we got something working but got like semi basic login working except for the fact that when the user is not there it's it fails but you know if the user is there that it works let's see repo just wrote cats that repo about all those drug cats accounts user you have two users let me just search for a user that actually exists then the login actually works one two three four five six password plug-in you're logged in beautiful that's a login again I might pick a user it doesn't exist it breaks that's okay we'll fix that we will fix that don't want to commit this probably let's commit this oh if we cannot find a user we should also return this we can actually easily fix that instead of the bang we get nothing okay how do we how come you do that I can just do a simple yeah but I don't want to keep that code this is really shitty code which is fine if no user do but I think this works alright it's really shitty code but it's fine I think I think it's alright shape doesn't work each user and user pages are undefined module I don't know it is and less is there unless when we get theirs in less elixir it's really then I'm just making it super imperative acecomm tons if unless if do unless uh-huh and last huh do this and return how do I return [Music] returned elixir [Music] [Music] scheisse oh this is so bad guys [Music] this is like you just cannot do imperative in his language that's just not how that works they just like they just like make you say just stop you from doing it okay whatever this is gonna break too when the user doesn't exist this is gonna baby nil let's just do it okay whatever Ches user do nest of case no this if nil this is not how you should do these but I'm doing it anyways otherwise what is this [Music] it should work it doesn't work it doesn't compel nested nested case elixir boy did you really gotta go to bed this is not good all right all right let's just commit it as if my everything is fine even though it's not we know that it's a bug it's fine it's whatever for a minute get done with it add first implementation of log in there there's a bug in this code if the user cannot be found it breaks done publish alright thank you guys for stopping by if you're under YouTube's or for dive deep diving into the bcrypt implementation but we learned a lot we're gonna continue this later we walk through the steps that were needed to in order to build and log in and we kind of did what we need to do so that's good thanks guys
Info
Channel: JustCodeCats
Views: 2,644
Rating: 4.7037039 out of 5
Keywords:
Id: M4-nO3DG83E
Channel Id: undefined
Length: 202min 57sec (12177 seconds)
Published: Sat Mar 02 2019
Related Videos
Billionaire Mathematician - Numberphile
Numberphile
3.3M
Kubernetes Tutorial for Beginners [FULL COURSE in 4 Hours]
TechWorld with Nana
1.9M
Elixir Umbrella - Microservices or Majestic Monolith? Georgina McFadyen - Elixir.LDN 2017
Erlang Solutions
12K
Phoenix a Web Framework for the New Web • José Valim • GOTO 2016
GOTO Conferences
38K
Caching DB requests with ETS
Alchemist Camp
2.1K
ElixirDaze 2017- Using Your Umbrella by Chris Bell
Confreaks
1.8K
Build A Phoenix API Authentication with Guardian and Bcrypt
Web Dev Fuel
147
Java Project Tutorial - How To Design Login And Dashboard Form In Java Netbeans
1BestCsharp blog
4.5M
ElixirConf 2018 - Architecting Flow in Elixir From Leveraging Pipes... - René Föhring
ElixirConf
3.6K
Easy Authentication in Elixir & Phoenix with the pow & pow_assent libraries
knowthen
11K
Application of Research Techniques in SPSS A Hands-on Approach- DAY 01
KLE PG STUDIES IN COMMERCE & RESEARCH CENTRE
4K
ElixirConf 2018 - Opening Keynote - The Next Five Years - Jose Valim
ElixirConf
13K
ElixirDaze 2016 - Processing 2.7 million images with Elixir (vs Ruby) by David Padilla
Confreaks
32K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.