DEV Community


Posted on

Flatiron Phase 4 Blog

As I’ve made steady progress on my phase 4 project, I’ve continually come back to questions about online safety as it relates to my project and web development in general. My app is called “Take a Hike” and is meant to function as a sort of activity log for hiking enthusiasts. Users can add trails to the database as well as create their own hike entries that correlate to those trails. Initially I imagined more of a social aspect to this, with users being able to follow or become friends with each other, but as I get closer and closer to submitting the project, this feels more and more like a stretch goal that I won’t be stretching for…

Part of this is of course in the interest of saving time and effort. I’m now well past the “blue sky thinking” phase of this project, and implementing more features and further complicating the database structure with more tables feels like something to worry about after my assessment, if at all. More than that, though, are my apprehensions about adding such features to an app that incorporates users’ real world locations. I would probably feel uncomfortable tweeting that I was alone on a specific, remote hiking trail, so why would I make a similar course of action one of the main features of my app?

This has led me to think a lot about the nature of online safety and social media, especially with applications specifically geared towards outside activity or location based events. Where is the line between a user’s responsibility to protect themselves and a programmer’s responsibility to protect their users? I do think there are many cases where the responsibility of user protection clearly falls on the programmer’s shoulders. For example, I could place the responsibility of using a unique password for my app on the users, so that if their password is leaked, it wouldn’t affect the security of any of their other accounts on different applications, but this isn’t really realistic just given the way people tend to use and reuse passwords for convenience and easy memorization. Instead I’ve opted to use the BCrypt gem to avoid saving any plaintext passwords to my database.

create_table :users do |t|
     t.string :username
     t.string :password_digest
     t.string :avatar_image
     t.string :about


Enter fullscreen mode Exit fullscreen mode

The setup for my users table, which uses a :password_digest instead of a :password column to work with the BCrypt gem.

class User < ApplicationRecord
   has_many :hikes
   has_many :trails, through: :hikes

   validates :username, uniqueness: true
Enter fullscreen mode Exit fullscreen mode

My user model, which includes a has_secure_password macro to save an encrypted, salted :password_digest string to the database instead of a plaintext password.

def create
       user = User.find_by(username: params[:username])
       if user&.authenticate(params[:password])
           session[:user_id] =
           render json: user, status: :created
           render json: {error: {login: ["Invalid username or password"]}}, status: :unauthorized

Enter fullscreen mode Exit fullscreen mode

The create method in my sessions controller that handles login post requests. The .authenticate method ensures that the :password submitted with the request is equal to the user's unencrypted :password_digest value

There are many other cases like this where it is clearly up to the programmer to protect their app’s users, but I think there are also situations where those lines become more blurred, especially with social media. Sharing your location on a hiking app could lead to some scary situations if a stalker were to take advantage of that information, for example, but not allowing any location sharing at all would hamper the experience of sharing posts about the hikes you’ve gone on. Things get even more complicated when you consider that people can also get lost or injured on hikes, in which case it could actually be helpful to have a record of where they’ve been, even if it’s just to figure out a range of where they might be. So, should we plan for the best or the worst case scenarios? Does protecting users come at the cost of limiting their freedoms to do what they want? Should the internet world and the physical world be kept separate as much as possible to prevent these kinds of situations altogether? Or are we too far past that point given how ever present the internet is in our lives already?

I don’t really have the answer to any of these questions, but they’ve been on my mind nonstop throughout the process of working on this phase’s project. I imagine that these concerns only grow in volume and complexity as you work on bigger projects that handle more things for more users. It all makes me a bit nervous, if I’m being honest, to have that kind of responsibility and try to plan for it all. But my hope is that as I continue on in my coding journey, I will gain the necessary experience and insights to make these quandaries a little easier. I think safety will always be a balancing act of protection and security with freedom and usability, but hopefully in time that balancing act will feel more and more intuitive.

Top comments (0)