Implementing Authentication

Owned by Harmen Fuite (Unlicensed)
Last updated: May 04, 2020 by Johannes Baas
2 min read

To build a secure implementation of the https://plate.atlassian.net/wiki/spaces/DOCS/pages/30212169  in a theme or site, follow this checklist. And make sure you implement/test every step correctly.

If you have any questions, feel free to ask a question in the community, or submit a ticket if you think you encountered a bug.

  1. Ensure that your Plate level is set to Advanced.

You can do this in your user settings.

  1. Create an authentication type 

  1. Implement a theme file for the required authentication action:

Always implement the bare minimum action: 'login', 'logout', request_password_recovery, recover_password, edit

If you want to allow visitors to register independently, also implement the 'new' action.

Check the https://plate.atlassian.net/wiki/spaces/DOCS/pages/30212169  to see what theme files and tags should be implemented for each action.

  1. Ensure that each post that requires authentication for this authentication type, implements the authenticate tag.

I.e. if the authentication type has a plural name of "dealers", ensure that every page that requires authentication has the following snippet in its theme file: 

{% authenticate "dealers" %}

The pages where the https://plate.atlassian.net/wiki/spaces/DOCS/pages/20578686 tag is implemented should always require authentication.

  1. Ensure that there is a clear way to access the login page for this authentication type.

See the authentication liquid object documentation for info on how to access the login url. Hint, it's:

<a href="{{authentication.authentication_types.dealers.login_path}}">Login</a>

  1. Ensure that the login page is not implementing the authenticate tag. 

Or else you will require the visitors to login to login. You will get an endless loop, trust me, you will notice.

  1. Implement the rendering of 

properties. 

Put {{authentication.current_dealer.email}} in your header for example.

  1. Try to break your authentication implementation

  • Create an account on your own site

  • Try to login

  • Try to access "secure" pages. (You should be able to access them)

  • Try to logout

  • Try to access "secure" pages when logged out. (You should fail to access them)