Sears and Kmart Community

0

mySears Community, the place to go to get questions about your appliances and products answered.

The pitch

The Sears and Kmart Community is a place where customers can go to get their questions answered by product experts – whether it is about that weird noise their drier is making, or just a simple question about that TV they’ve had their eye on after seeing it in a weekly ad.  The Community also gives a customer the perfect opportunity to no only get their questions answered, but weigh in on another customer’s questions, or just read up on what is new in whatever field interests them, or find information about what the products they are interested in.

The nitty gritty

The Community sites are sitting on an nginx/MySQL framework with WordPress Networks doing the heavy lifting.  The sites boast well over 1.5 million users, and the ability to add much, much more with Sears and Kmart single sign on capabilities, as well as well as facebook, yahoo, and google single sign on connectivity.  This site will sync all user information across all Sears websites, allowing a returning user – regardless of which web property they visit – the ability to sign on without having to handle new user registration.  As I said above, this site uses networks, and shares many common elements – including themes, database tables, and plugins – all on one system.

This site utilizes a revolutionary “Section Front” implementation – created by Eddie Moya - allowing site editors the ability to create custom category pages with an easy to use and fully customizable click and drag interface.

Hash Authentication

0

The Hash Table generated using this method of authentication.

After coming across this article on Reddit today, and chatting with a good friend and colleague about the benefits and issues of using the authentication method outlined by the author, we both came to the conclusion that we were not fans of the way the author handled the hash table comparisons for users, so I decided to work on it a little bit at home and try to make it better.

Before I go into details, here are the database tables I created to get this authentication to work:

mysql> DESCRIBE hashes;
+_______+_____________+______+_____+_________+_______+
| FIELD  | TYPE         | NULL  | KEY | DEFAULT  | Extra |
+_______+_____________+______+_____+_________+_______+
| hash  | VARCHAR(64)   | NO   | PRI | NULL    |       |
| salt  | VARCHAR(64)   | NO   |     | NULL    |       |
+_______+_____________+______+_____+_________+_______+
2 ROWS IN SET (0.01 sec)
 
mysql> DESCRIBE users;
+__________+_____________+______+_____+_________+________________+
| FIELD     | TYPE         | NULL | KEY  | DEFAULT | Extra           |
+__________+_____________+______+_____+_________+________________+
| uid      | INT(11)       | NO   | PRI | NULL    | AUTO_INCREMENT  |
| username | VARCHAR(30)   | NO   |     | NULL    |                |
| hash     | VARCHAR(64)   | NO   |     | NULL    |                |
| salt     | VARCHAR(64)   | NO   |     | NULL    |                |
+__________+_____________+______+_____+_________+________________+
4 ROWS IN SET (0.00 sec)

I set the hash field in the hashes table to an indexed column to allow quick(er) searching through the table, trying to alleviate the issues we might run into if this table becomes too large. Without the user’s password, there is no connection between these two tables, as it is required to generate the data within the hash column in the hashes table. Creating a user would happen like so:

// note, this uses my database class, which can be found at http://code.imyourdeveloper.com/database.txt
function create($applicationSalt, $user) {
	//generate salts
	$userSalt = hash("sha256", $applicationSalt.rand().time());
	$hashesSalt = hash("sha256", $applicationSalt.rand().time().$applicationSalt);
 
	//generate hashes
	$userHash = hash("sha256", $applicationSalt.$user->password.$hashSalt);
	$hashesHash = hash("sha256", $applicationSalt.$user->password.$userSalt);
 
	//create queries
	$user = 'insert into users (uid, username, hash, salt) values (null, "'.$user->username.'", "'.$userHash.'", "'.$userSalt.'")';
	$hash = 'insert into hashes (hash, salt) values ("'.$hashesHash.'", "'.$hashesSalt.'")';
 
	//run queries
	$db->query($user);
	$db->query($hash);
}

This was a little bit of a pain, and took some staring at my monitor to wrap my head around, trying to remember what went where, but I eventually got it working. The application salt is your secret salt set in the application that you will use to salt data going to the database, and user passes through any data you want to write about the user to the database. A combination of the user salt, the application hash, and the user’s password is used to generate the user hash and the authentication lookup hash in the hashes table. When the user types in a password, it runs through the algorithm creating a hash, looks up that hash in the hashes table, recalculates another hash using a randomly generated salt in the hashes table, the user’s password, and the application salt, then compares with the hash in the Users table. If this matches, then the user is who he says he is, and is logged in. This happens like so:

function lookup($applicationSalt, $user) {
	GLOBAL $db;
 
	$userLookup = $db->getObj('select * from Users where username = "'.$user->username.'"');
	$check = $applicationHash.$user->password.$userLookup->salt;
	$hash = hash("sha256", $check);
 
	$hashSalt = $db->getObj("select * from Hashes where hash = '$hash'")->salt;
	if ($userLookup->hash == hash("sha256", $applicationSalt.$user->password.$hashSalt)) {
		return true; // logged in
	} else {
		return false; // login failed
	}
}

This may not be a perfect implementation of this code, but I wasn’t a fan of the way it was being handled in the other article; and this was a neat little problem to work on, so expect updates in the future.. The mathematical probability of you being able to brute force the user’s password was astronomically low before, but it was nothing more than a one-way relation. This way, you not only need to brute force the users password to go one way (towards the hashes table), but the password you get is likely not going to work, as another hash is checked going in reverse, ensuring the only string that is accepted is the user’s.

If you have any better ideas of how to implement this, please feel free to post it below. Click here for a full version of the code above.

Kenmore Connect

0

Kenmore Connect

A couple months ago, I was borrowed out to the Ruby team here at Sears to help them with the Kenmore Connect project; a project that was, at that point, running a bit behind and needed a bit of help.  I’ve had some experience with Rails in the past, and I didn’t have a whole lot on my plate at the time, so I was chosen as the person that could probably help the most.  My role was primarily front-end, dealing with heavily responsive HAML/SCSS and a whole lot of jQuery, but I did do some work with rails – including building some device-based helpers that would help determine what environments are being used on page-load.

I am not terribly proficient with Rails, as I haven’t had much of a chance to work with it in any real projects; but it is projects like this that make me want to pick it up and run with it, as it is a very fun language to work with.

The coolest bits of this project

There were a few firsts for me in this project.  The coolest by far was probably the responsiveness of the site.  We had to create everything while keeping a responsive design in mind – that is, always thinking about the desktop view, tablet view, and mobile view.  This kept us on our toes resulted in an amazingly usable site, no matter the device you are using it on.  Also, I’ve never worked with HAML/SCSS, and this project opened me up to the amazing possibilities of programatic CSS.  it really seems like a huge piece of the CSS engine that is just missing.  Just the ability to set and use variables was a godsend, and really made it incredibly powerful.

Kenmore was an awesome client, and this was an awesome project.  It really makes me look forward to rails work in the future, since the language is incredibly fun to write and work with.

Happy coding!

The most interesting project of my career.

0

I just finished what is probably the most interesting project of my career thus far.  This project involved a lot of work with responsive HAML/SCSS, a slew of jQuery, and a hefty serving of Ruby on Rails.  I was brought onto the project a little late, as it was running behind and absolutely needed to launch on time.  I started on it about a month and a half ago.

My role was mostly front-end oriented with HAML/SCSS/jQuery with only a bit of Rails work required of me, but I took the opportunity to get more comfortable with Rails, and took as many back-end tickets as I could (and that I thought I was capable of handling on my own without causing more work for someone else later on).  But I honestly have to say that the most impressive thing about this site is likely the responsive nature of it.  It is completely responsive, and scales based on the screen that is seeing it using media queries.  Apparently this is the first project of it’s kind at Sears, and we were setting a standard for the rest of the company to follow with our work – laying the foundation, if you will.

Stay tuned for images, the link to the live site, and a much more detailed synapsis of the work I did for Kenmore.

Go to Top