00:00:17.680
Hey everyone, how you doing? I know this
00:00:20.800
is a tough slot because we just had
00:00:22.960
lunch. So, I'll make my best to keep you
00:00:25.119
awake, but I don't mind if you fall
00:00:27.439
asleep.
00:00:29.199
So unraveling the black box. Um we often
00:00:32.880
treat authentication as a black box. Uh
00:00:35.440
right we just install device, generate a
00:00:38.079
user model and move on. But few of us
00:00:41.120
wonder why it works the way it does. And
00:00:44.079
with Rails 8 authentication has
00:00:46.559
officially entered the framework. Uh and
00:00:49.280
this opens up not only new capabilities
00:00:51.840
but as our good uncle Ben told
00:00:54.960
Spider-Man also new responsibilities. So
00:00:58.239
today I'll walk you through where this
00:01:00.000
feature came from, how to use it, and
00:01:02.239
what it means for modern authentication
00:01:04.080
flows such as passwordless and O.
00:01:08.400
So uh I'm Alysia Pas Roas. I'm a
00:01:11.680
software engineer at Telos Labs for
00:01:13.600
almost four years. I'm also a music
00:01:16.159
composer. I was born in Chile and I'm
00:01:18.720
based in Mexico City. You can scan that
00:01:20.880
thing for my LinkedIn.
00:01:23.280
Uh happy to connect with all of you.
00:01:26.479
So the agenda for today uh I'm going to
00:01:29.040
start with a bit of history. Uh I want
00:01:31.520
to understand where authentication in
00:01:33.840
rails comes from. We're at uh this its
00:01:36.240
precedence
00:01:37.840
uh what the Rails 8 generator gives us
00:01:41.119
and then I'm going to walk you through
00:01:43.360
some modern authentication flows and
00:01:46.079
finally some takeaways and what's what's
00:01:48.640
next with this uh important part of our
00:01:52.079
applications. So, first a bit of
00:01:54.720
history.
00:01:56.240
Uh, sorry, I'm not going to talk about
00:01:57.840
aliens today. Uh, it's a great subject,
00:02:00.399
by the way. My my boss's favorite.
00:02:03.360
Um, so why do authenticate?
00:02:05.840
Authentication didn't start with Rails.
00:02:08.080
Uh, it didn't even start with the modern
00:02:09.759
web. It began as a basic need of knowing
00:02:13.360
who are you and are you allowed to see
00:02:16.160
this? So, in the early days of HTTP, the
00:02:19.520
first form of web authentication was
00:02:21.680
basic O. So just a username and a
00:02:23.920
password encoded in headers. Uh we had
00:02:27.120
no sessions, no storage of user data. So
00:02:30.000
it was kind of an anonymous stateless
00:02:32.959
web. But as web apps grew more complex,
00:02:36.480
uh so did the need for identity and
00:02:38.319
permissions and state. Uh so we needed
00:02:42.080
more than just knowing who someone was.
00:02:44.480
We needed to control what they could do.
00:02:47.120
And that's the main difference between
00:02:49.760
authentication and authorization. Some
00:02:52.239
of uh some people kind of confuse these
00:02:54.800
two terms. They're different. So
00:02:56.640
authentication is proving your identity.
00:02:59.519
Who are you? And authorization has to do
00:03:02.080
with uh what you are allowed to do once
00:03:05.519
you are authenticated.
00:03:07.680
So they're deeply connected because you
00:03:10.319
cannot enforce permissions without first
00:03:12.879
enforcing uh identity uh I mean
00:03:15.760
verifying identity. But they're distinct
00:03:18.879
layers. So there's a couple of examples
00:03:20.640
of uh gems that handle both uh features.
00:03:26.239
So modern web apps often need both
00:03:28.879
authentication and authorization to have
00:03:31.920
uh flexibility and security.
00:03:34.560
Uh so I'm going to give a a real life
00:03:36.640
example. I had to authenticate myself
00:03:38.799
when I came to this country. I had to
00:03:41.040
prove my identity with my pa password
00:03:43.680
passport and then I was authorized to uh
00:03:48.959
be here right. So authorization and the
00:03:51.920
things I can and cannot do in this
00:03:54.400
country are has to do with my identity
00:03:56.640
with who I am. So back in the early days
00:04:00.480
u talking about history a little bit uh
00:04:03.680
rails devs implemented sessions
00:04:05.760
manually. So we would set cookies well
00:04:08.400
not we but our ancestors
00:04:11.280
uh
00:04:13.280
they would set cookies they would handle
00:04:14.959
logic uh login logic validations uh all
00:04:18.160
by hand. So it was very useful and it
00:04:21.280
was also useful for learning but it had
00:04:23.520
it was a bit hard to scale uh and reuse.
00:04:27.199
So in 2008 o logic came to solve this
00:04:30.800
problem. It was a clean gem that you
00:04:32.560
could just drop in similar to uh what
00:04:34.560
device does. Uh it didn't require
00:04:38.720
complicated engines or magic. Uh you
00:04:41.120
would just add a model, include a module
00:04:43.600
and just go. So it offered reasonable
00:04:47.120
flexibility but left a lot up to you. Uh
00:04:50.960
October 2009 brings the wonderful device
00:04:55.520
which was uh built on top of Warden. If
00:04:57.600
you ever had to monkey patch or fix a
00:04:59.759
bug in device, you know what Warden is.
00:05:02.160
Otherwise, it's just magic behind this
00:05:04.880
the the the screen. And it packaged
00:05:07.840
everything. It packaged views,
00:05:09.520
controllers, models uh for a full
00:05:12.320
feature authentication. So, it was a of
00:05:15.120
a great convenience, but it often became
00:05:17.520
a black box. Uh we would stand on the
00:05:20.400
shoulders of this giant and just let it
00:05:23.039
handle everything for us.
00:05:25.520
So years went by and all and SSO started
00:05:30.479
to go mainstream as mobile and social
00:05:33.280
grew. Uh this became a standard. So we
00:05:36.160
had Facebook, Twitter, Google all
00:05:38.479
adopting this new standard.
00:05:41.280
Uh so simple passwordbased
00:05:43.360
authentication wasn't enough anymore. We
00:05:46.000
needed tokens uh third party APIs SSO.
00:05:50.000
So complexity grew
00:05:52.560
and over a decade later we have uh rails
00:05:56.720
finally shipping with a authentication
00:05:59.039
generation in its eighth version. So
00:06:02.320
this gives you a working login flow out
00:06:04.960
of the box while still letting you
00:06:07.120
customize and extend and understand the
00:06:10.000
full stack.
00:06:12.080
So I want to pause here a little bit
00:06:14.240
because device is in my heart combo. Um
00:06:19.840
yeah, great joke. Um
00:06:23.120
so this thing brings not only
00:06:24.960
authentication but also uh registration.
00:06:28.080
It was released in 2009. Uh and it was
00:06:31.120
really a game changer. Uh it was very
00:06:33.680
modular. So, it's nice how you can turn
00:06:36.000
on and off different features like
00:06:37.840
confirm address, invitations,
00:06:40.400
remembering sessions, uh, expiration,
00:06:43.520
and it was officially introduced in
00:06:46.560
Rails Summit Latin America 2009. And
00:06:50.720
yeah, I went to the source score source
00:06:52.639
code and see who were the first
00:06:55.120
committers and early contributors. So
00:06:57.199
thanks to these two uh lovely characters
00:07:00.479
here
00:07:02.319
and yeah why framework level
00:07:06.000
authentication now? So in the recent
00:07:09.199
years the need for more flexible uh
00:07:11.599
authentication flows like uh the ones
00:07:13.680
I'm going to introduce later uh like
00:07:16.400
passwordless
00:07:18.080
and o made developers ask why is
00:07:20.800
something so critical still in an
00:07:22.880
external concern? Why is it treated like
00:07:24.720
a black box?
00:07:26.479
So after some experimentation, Rails 8
00:07:29.280
shipped with its first built-in
00:07:31.199
authentication generator, which is very
00:07:33.440
simple by design, but it's highly
00:07:35.440
extensible. Uh, and it really have has
00:07:38.720
this mindset shift built in of uh
00:07:42.400
digging into into things and stop like
00:07:45.039
letting others handle it for you.
00:07:48.800
So let's dig uh in it. Rails 8
00:07:52.319
authentication generator. So as any
00:07:54.879
other rate generator you just type rails
00:07:57.199
generate authentication and then you
00:08:00.000
name the the model which is commonly
00:08:01.840
user and this will scaffold a simple yet
00:08:05.759
readable authentication system uh for
00:08:08.080
this this common uh model. So it will
00:08:11.199
include everything you need to log in
00:08:13.759
and reset a password but it will assume
00:08:17.120
that you will want to customize and
00:08:19.039
extend this flow. uh it has an
00:08:21.919
authentication concern that is included
00:08:23.919
in the application controller.
00:08:26.720
Uh but it doesn't include a users
00:08:29.039
controller because it's not a
00:08:30.800
registration generator.
00:08:33.360
Uh and of course minimal styles and
00:08:35.360
views that you for sure want to um
00:08:38.000
customize.
00:08:40.240
This is how the user model looks like
00:08:42.159
after you run this generator. So it
00:08:44.880
brings this high has secure password
00:08:47.040
helper that will give you a password
00:08:49.040
hashing uh authentication logic and
00:08:52.160
validation with by crypt behind the
00:08:54.560
scenes
00:08:56.160
uh a normalization of the email so your
00:08:58.720
database will look neat and uh an
00:09:01.839
association with sessions
00:09:04.160
uh which is uh one of the other models
00:09:06.240
this uh generator includes.
00:09:09.279
This is the session con controller.
00:09:11.839
Again, really little magic here. It's
00:09:14.640
very understandable login flow. We don't
00:09:17.040
have weird call blocks or filters. Just
00:09:19.839
a conditional redirect
00:09:22.800
uh a conditional and a redirect.
00:09:25.839
This is the authentication uh concern.
00:09:29.040
So as I as I mentioned this is included
00:09:31.120
in the application controller and it
00:09:33.200
centralizes key helpers uh like allow an
00:09:36.880
authentication access which is the new
00:09:39.600
uh skip before action that we were used
00:09:42.240
to with device and a before action for
00:09:45.760
protected pages. So everything is really
00:09:49.839
customizable. You can override whatever
00:09:51.839
you want. Uh it's very transparent.
00:09:55.519
It includes a password reset flow
00:09:57.360
because we've all been there. So you get
00:10:01.200
this password out of the box and you can
00:10:03.360
easily replace it with tokens or magic
00:10:06.160
links or any of other kind of
00:10:08.720
passwordless uh flow. Uh it it includes
00:10:13.040
a controller, a mailer
00:10:15.680
and the ERB views. Uh very ugly by
00:10:18.720
default but you can again customize
00:10:20.800
them.
00:10:22.640
uh as I said before it doesn't include a
00:10:24.560
signup view but you can easily generate
00:10:26.399
it with this uh controller generator. So
00:10:28.880
this will scaffold the controller and
00:10:31.279
the views for you. So very easy to set
00:10:34.800
up. No magic again. And this is how the
00:10:38.240
routes look like after running the
00:10:40.079
generator sessions users and passwords
00:10:44.560
all out of the box. So to summarize why
00:10:47.200
this is great, it's learnable code. Uh
00:10:50.320
it's not hidden. uh it's just there very
00:10:52.959
transparent you don't have magic routes
00:10:54.880
or engines everything is plain rails the
00:10:57.680
good old MBC pattern uh so it's very
00:11:00.640
easy to trace
00:11:02.880
uh you can also extend it for another
00:11:05.279
flows as I will show in a bit and it
00:11:08.560
encourages the best best practices
00:11:10.640
because we use the restful pattern
00:11:12.720
concerns it is very testable so it is a
00:11:15.440
great default uh it is a good starting
00:11:17.920
point for just get up uh get things
00:11:22.240
working quickly.
00:11:24.880
So let's talk about some modern use
00:11:27.120
cases because security is getting
00:11:30.240
tougher and tougher. Uh I'm going to
00:11:32.880
talk about passwordless.
00:11:34.880
So why are passwords
00:11:38.399
uh something we want to get rid of?
00:11:41.839
So the first thing is a lot of people
00:11:45.360
reuse their password. So raise your hand
00:11:47.200
if you have reused a password in the
00:11:49.600
past like six months, let's say. Okay,
00:11:52.399
so we're developers and we'll still do
00:11:54.240
it. So imagine the rest of the world.
00:11:56.800
This is really bad. Um
00:11:59.839
because one compromised password means
00:12:02.560
uh many compromised passwords, which
00:12:05.200
takes us to the second reason. People
00:12:07.519
are lazy and have m bad memory. So they
00:12:10.240
will choose weak passwords uh because
00:12:12.399
they're easier to remember.
00:12:15.200
and still they will forget them. So, uh
00:12:20.079
I've been there.
00:12:22.079
Um
00:12:23.680
and yeah, basically we have enough
00:12:26.480
reasons to want a passwordless
00:12:29.040
uh authentication flow. So, I found this
00:12:31.120
gem. It's called no password. It's very
00:12:33.440
simple and minimal. You can scan the
00:12:36.000
code. I'm not a contributor of it. Just
00:12:38.000
used it. It works really smoothly with
00:12:40.880
the authentication generator and it
00:12:44.000
allows you to implement a temporary
00:12:46.240
secure login uh code initiated from
00:12:50.399
people's browsers. So they can login via
00:12:53.200
email or SMS QR codes
00:12:56.320
or any other site channel. Uh and it
00:12:59.120
also comes with a really neat login with
00:13:01.440
email flow. uh so you can start using it
00:13:04.399
right away uh in your authentication
00:13:07.760
uh in in your Rails application.
00:13:10.480
So usage three simple steps you add it
00:13:13.680
to your GM file you run that that
00:13:16.240
generator it will create a migration
00:13:18.720
that I will show you and then you run
00:13:21.120
the migration and you're good to go.
00:13:22.800
There's really uh it's a very simple
00:13:26.079
setup. You can of course customize it as
00:13:28.639
you want. So this is the migration and
00:13:31.920
the way this works is that if the email
00:13:34.240
address the user provides is wellformed,
00:13:37.120
Rails will generate a random sixdigit
00:13:39.920
number and a salt. So this salt is a
00:13:42.880
string that is appended to the email
00:13:44.639
before hashing it to make it more secure
00:13:47.680
and this this sixdigit number is emailed
00:13:50.399
to the end user.
00:13:52.880
uh this uh the salt uh however is
00:13:56.959
persisted in the browser
00:14:00.000
and they can use the code to login into
00:14:02.720
the application. Uh rails encrypts the
00:14:05.440
email via no password secret which is
00:14:07.760
this table and the combination of the
00:14:10.000
code the salt uh provided by the user is
00:14:12.959
what it's needed to unlock the secret.
00:14:15.360
So this is how my very shitty uh app
00:14:19.199
works uh with this flow. So, you just
00:14:22.240
provide an email, you get a login code
00:14:24.959
in your email, you copy and paste it,
00:14:27.360
and you're good to go.
00:14:29.839
So,
00:14:31.519
oh, this is taking longer than I
00:14:33.519
expected.
00:14:35.360
Okay, so
00:14:37.600
yay, we're logged logged in. Cool. So,
00:14:41.120
how is this even safe? You might be
00:14:43.199
wondering, how does this method uh for
00:14:46.000
example mitigate brute force attacks?
00:14:49.680
So as our local figure teaches us, it's
00:14:53.760
not about how hard you hit, it's about
00:14:55.760
how much you can take. So this
00:14:58.160
translates into a number of remaining
00:15:01.199
attempts. So that's the first layer of
00:15:03.360
security this thing adds. Uh this
00:15:06.240
remaining attempts is decremented every
00:15:08.320
time the users enters a code and when it
00:15:10.959
gets to zero, the secret it is destroyed
00:15:13.519
and the user has to generate a new one
00:15:16.079
uh request a new one. Um, and yeah, by
00:15:20.000
default this is three attempts, but you
00:15:22.240
can override that if you want. The
00:15:25.120
second interesting thing I found about
00:15:27.199
this gem is that it it hides the salt in
00:15:31.360
the browser the user is using for uh
00:15:34.480
authenticating. So this uh salt is
00:15:38.079
embedded into the form payload that it's
00:15:40.000
posted back to the server along with the
00:15:42.079
code.
00:15:43.839
And that this means that the attacker
00:15:45.680
would have to somehow get this salt in
00:15:48.000
addition to the code. So if somehow this
00:15:50.959
attacker managed to intercept the code
00:15:54.160
in the email, it will also have to
00:15:57.199
somehow see the browser of the user to
00:16:00.079
be able to unlock uh the code. So that's
00:16:04.240
kind of a extra hard.
00:16:07.519
So the third layer of security this
00:16:10.240
thing has is an expiration. So by
00:16:12.880
default uh no password gives five
00:16:15.360
minutes to enter the code after that it
00:16:17.519
is destroyed. Uh again you can override
00:16:20.720
this thing very easily.
00:16:23.519
And yeah that's that's with
00:16:24.800
passwordless. So let's move on to this
00:16:28.000
uh second
00:16:29.839
um login flow which is SSO and OOTH. So
00:16:34.560
if you're wondering what's the
00:16:35.759
difference, I didn't know it very like
00:16:38.720
quite well so I had to investigate. So
00:16:41.680
SSO stands for single sign on and it's
00:16:43.920
an authentication method. So it means
00:16:46.800
like you can login once with an identity
00:16:48.959
provider such as Google or Octar Meta
00:16:51.839
whatever and then you can access
00:16:54.240
multiple apps without re-entering
00:16:56.320
credentials. So it's like you log in to
00:16:58.320
Google Gmail and then you can access
00:17:00.959
YouTube um
00:17:03.839
drive anything. Uh whereas O is an open
00:17:07.679
standard for authorization. So it grants
00:17:10.880
third-party applications access to your
00:17:13.360
resources uh like your data your you
00:17:16.000
know your email your calendar whatever
00:17:17.679
you want to share without sharing your
00:17:20.000
password.
00:17:21.919
So yeah SSO is an authentication method
00:17:24.880
and oath uh it's an authorization
00:17:27.439
protocol
00:17:29.200
and you they usually come come together
00:17:32.240
oath is often used as a part of an SSO
00:17:34.799
system but the two are not the same.
00:17:38.720
So why do we want this in our
00:17:40.799
application? Um
00:17:43.280
it's a very fast and secure sign up and
00:17:46.799
login for your user is it really reduces
00:17:50.000
that friction uh users having to enter
00:17:52.799
their data and creating a new password.
00:17:56.160
Uh it inherits Google security because
00:17:58.799
you're basically using their system
00:18:01.520
their 2FA their device monitoring etc.
00:18:04.480
So you don't have to worry about that
00:18:06.480
yourself. It also lowers your liability
00:18:09.520
of having to store passwords because you
00:18:11.520
don't and you can access this verified
00:18:15.120
uh profile data. So you you trust this
00:18:17.840
identity provider and then you trust the
00:18:19.840
data they are provide to you.
00:18:22.960
So how to do this? Uh you can do this do
00:18:26.480
this with the same uh no password gen
00:18:28.720
that I just showed. So the first thing
00:18:30.799
is that you set uh set up a ooth client
00:18:34.480
in Google developer console.
00:18:37.200
Uh very easy. Uh then you're given a
00:18:40.640
client ID and a secret ID
00:18:43.919
and then you have to set up your routes.
00:18:45.520
I did it with local host uh for
00:18:47.679
developing this uh demo app. You have to
00:18:50.880
set up uh the redirect URL and then you
00:18:54.080
have to make sure that is the same route
00:18:56.160
you are uh actually implementing in your
00:18:58.720
app. So that's the second step. You set
00:19:01.520
up your route
00:19:03.440
and the third step is to create a
00:19:05.440
controller. So this is in the
00:19:08.080
documentation of the gem. I literally
00:19:10.000
literally just copied and pasted it. Uh
00:19:13.120
did really little over override on this.
00:19:16.640
And yeah, you get an a working
00:19:20.480
you get a working login uh with Google.
00:19:24.240
And this was really cool because I had
00:19:26.160
2FA implemented in my account and I got
00:19:30.320
to FA uh with this shitty app without
00:19:33.520
doing anything. So that was really good.
00:19:36.400
Um
00:19:37.919
so let's go to the third uh
00:19:40.080
authentication flow which is rolebased.
00:19:43.840
Uh oh
00:19:46.559
and if you are paying attention you will
00:19:49.760
know that rolebased is not an
00:19:52.240
authentication
00:19:53.840
uh method is it has to do with
00:19:55.600
authorization. So I'm not going to talk
00:19:57.280
about it because I only have five
00:19:59.120
minutes left and this talk is about
00:20:00.960
authentication. So wrapping up
00:20:04.559
uh some key takeaways. Rails a gives us
00:20:07.679
a transparent uh editable authentication
00:20:10.640
system. So we have no more black boxes
00:20:12.799
anymore. Everything is very transparent
00:20:14.640
even with this gem. Um everything is
00:20:17.919
just there.
00:20:19.840
Passwordless and authentication are no
00:20:21.840
longer nice to have. And especially SSO
00:20:24.400
and oath. I as a user personally expect
00:20:27.440
this. I use it a lot especially for
00:20:29.360
work. uh I don't have to create 100
00:20:33.280
password for every uh you know API or
00:20:38.080
every integration I use every tool. So
00:20:40.880
that's really cool and authentication is
00:20:43.919
not a backend only problem anymore. Uh
00:20:46.960
it really intersects with UX with
00:20:49.360
product security. So building your own
00:20:53.520
uh flow can be simple and secure if you
00:20:55.760
understand the parts and you really want
00:20:57.840
to dig in. So what's next for
00:21:00.559
authentication? Um we talked about
00:21:03.440
passwordless. Uh we also have pass keys
00:21:06.159
and web off uh and its adoption is
00:21:08.720
growing and is going more and more more
00:21:12.080
mainstream SSO especially in enterprise
00:21:15.120
context and uh businessto business SAS.
00:21:19.440
Um
00:21:21.600
we have uh weirder and weirder
00:21:25.200
authentication systems. Uh so it we used
00:21:27.679
to think of authentication as something
00:21:29.840
like very binary like you are
00:21:32.240
authentication authenticated or not but
00:21:35.039
nowadays it's shifting towards a more
00:21:37.760
like a spectrum thing. So we have for
00:21:40.799
example biometric signals uh and
00:21:43.840
behavioral signals that um contribute to
00:21:48.240
this weirder concept of authentication.
00:21:51.120
So for example, behavioral signals
00:21:53.360
refers to using subtle passive patterns
00:21:56.080
in how someone interacts with a device
00:21:58.320
or with your application. So things like
00:22:01.120
for example keystroke uh behavior like
00:22:04.559
how fast you type or how uh often you
00:22:08.080
make mistakes uh where are you logging
00:22:11.520
uh from uh how you navigate like how
00:22:14.880
fast or slow you scroll your page. All
00:22:17.200
these subtle signals are uh stored in
00:22:20.400
the background and then machine learning
00:22:23.840
models are used to build a behavioral
00:22:25.919
profile of your session. So if a session
00:22:29.520
deviates from this profile, it can
00:22:31.520
trigger reauthentication for example uh
00:22:34.559
or send a risk score. So I experienced
00:22:37.039
this myself not not a long not long ago.
00:22:41.120
I was doing some tests and I logged in
00:22:43.360
into another phone, an iPhone, which is
00:22:45.600
very weird for my behavioral session
00:22:48.320
pattern.
00:22:49.840
And then I was logged out from my
00:22:51.440
personal phone. And I was asked to enter
00:22:55.120
2FA, which had not happened in a long
00:22:57.440
time. And the reason why I know it had
00:22:59.440
not happened is because the 2FA code was
00:23:02.240
sent to my Chileen number that I haven't
00:23:04.400
used in like three years. So I realized
00:23:07.280
I was not asked to FA in this this whole
00:23:11.200
time but this behavioral change
00:23:13.600
triggered uh this signal in Google
00:23:16.400
somehow.
00:23:18.240
So well to summarize um we have modern
00:23:21.520
authentication that is isn't just about
00:23:23.440
login forms anymore. Uh it's just about
00:23:26.640
flexibility, trust, giving users more
00:23:29.679
control and Rails is giving us the
00:23:31.840
foundation to build this uh that well.
00:23:35.039
So this authentication generator gives
00:23:37.360
us a fresh start. It's not just a tool
00:23:39.520
but as I mentioned earlier it's a
00:23:41.600
mindset mindset shift. So we can stop
00:23:44.559
treating authentication like a black box
00:23:46.559
and start treating it like a critical
00:23:48.799
piece of our apps. Uh h yeah I forgot to
00:23:51.919
mention that last point and yeah because
00:23:54.400
of these other login flows we have more
00:23:57.440
and more client side responsibility. So
00:23:59.760
we have more JavaScript and web APIs
00:24:02.400
inter uh like influencing our
00:24:06.400
authentication flows. So that was my
00:24:09.440
talk. Here's an image of a watermelon
00:24:11.279
guarding a gate. Thank you very much.
