DEV Community: 1klap The latest articles on DEV Community by 1klap (@1klap). https://dev.to/1klap https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F807312%2Fd4766bd3-e706-439b-804d-69380946f9e8.jpeg DEV Community: 1klap https://dev.to/1klap en Rails 8 authentication with OAuth and addition of a test suite 1klap Thu, 28 Nov 2024 13:11:15 +0000 https://dev.to/1klap/extending-the-ruby-on-rails-8-authentication-with-oauth-sign-in-and-the-missing-rspec-test-suite-4ia https://dev.to/1klap/extending-the-ruby-on-rails-8-authentication-with-oauth-sign-in-and-the-missing-rspec-test-suite-4ia <p>This is the core part of the full article on my site: <a href="https://railsguru.dev/lessons/rails-8-oauth-and-rspec-tests" rel="noopener noreferrer">https://railsguru.dev/lessons/rails-8-oauth-and-rspec-tests</a><br> There is also a <a href="https://github.com/1klap/l001-oauth-and-tests" rel="noopener noreferrer">repo with the code</a></p> <h1> Context </h1> <p>With Ruby on Rails 8, the framework ships with a built-in authentication generator! We're extending it with OAuth sign in and a RSpec test suite!</p> <p>All of the code below is building on top of a project that ran <code>bin/rails generate authentication</code></p> <h1> Add gems and providers </h1> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># Gemfile</span> <span class="n">gem</span> <span class="s2">"omniauth"</span><span class="p">,</span> <span class="s2">"~&gt; 2.1"</span><span class="p">,</span> <span class="s2">"&gt;= 2.1.2"</span> <span class="n">gem</span> <span class="s2">"omniauth-rails_csrf_protection"</span><span class="p">,</span> <span class="s2">"~&gt; 1.0"</span><span class="p">,</span> <span class="s2">"&gt;= 1.0.2"</span> <span class="n">gem</span> <span class="s2">"omniauth-google-oauth2"</span><span class="p">,</span> <span class="s2">"~&gt; 1.2"</span> <span class="n">gem</span> <span class="s2">"omniauth-github"</span><span class="p">,</span> <span class="s2">"~&gt; 2.0.0"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># config/initializers/omniauth_providers.rb</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">config</span><span class="p">.</span><span class="nf">middleware</span><span class="p">.</span><span class="nf">use</span> <span class="no">OmniAuth</span><span class="o">::</span><span class="no">Builder</span> <span class="k">do</span> <span class="n">provider</span> <span class="ss">:developer</span> <span class="k">if</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">env</span><span class="p">.</span><span class="nf">development?</span> <span class="o">||</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">env</span><span class="p">.</span><span class="nf">test?</span> <span class="n">provider</span> <span class="ss">:google_oauth2</span><span class="p">,</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">credentials</span><span class="p">.</span><span class="nf">dig</span><span class="p">(</span><span class="ss">:oauth</span><span class="p">,</span> <span class="ss">:google</span><span class="p">,</span> <span class="ss">:client_id</span><span class="p">),</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">credentials</span><span class="p">.</span><span class="nf">dig</span><span class="p">(</span><span class="ss">:oauth</span><span class="p">,</span> <span class="ss">:google</span><span class="p">,</span> <span class="ss">:client_secret</span><span class="p">)</span> <span class="n">provider</span> <span class="ss">:github</span><span class="p">,</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">credentials</span><span class="p">.</span><span class="nf">dig</span><span class="p">(</span><span class="ss">:oauth</span><span class="p">,</span> <span class="ss">:github</span><span class="p">,</span> <span class="ss">:client_id</span><span class="p">),</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">credentials</span><span class="p">.</span><span class="nf">dig</span><span class="p">(</span><span class="ss">:oauth</span><span class="p">,</span> <span class="ss">:github</span><span class="p">,</span> <span class="ss">:secret</span><span class="p">),</span> <span class="ss">scope: </span><span class="s2">"user:email"</span> <span class="k">end</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># config/routes.rb</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">routes</span><span class="p">.</span><span class="nf">draw</span> <span class="k">do</span> <span class="n">get</span> <span class="s2">"/auth/:provider/callback"</span> <span class="o">=&gt;</span> <span class="s2">"sessions/omni_auths#create"</span><span class="p">,</span> <span class="ss">as: :omniauth_callback</span> <span class="n">get</span> <span class="s2">"/auth/failure"</span> <span class="o">=&gt;</span> <span class="s2">"sessions/omni_auths#failure"</span><span class="p">,</span> <span class="ss">as: :omniauth_failure</span> <span class="k">end</span> </code></pre> </div> <h1> Add a new model and controller </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bin/rails g model OmniAuthIdentity uid:string provider:string user:references </code></pre> </div> <p>The next code block is the heart of the whole implementation. It connects the OmniAuthIdentity with the User, does the lookup and the creation<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># app/controllers/sessions/omni_auths_controller.rb</span> <span class="k">class</span> <span class="nc">Sessions::OmniAuthsController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span> <span class="n">allow_unauthenticated_access</span> <span class="ss">only: </span><span class="p">[</span> <span class="ss">:create</span><span class="p">,</span> <span class="ss">:failure</span> <span class="p">]</span> <span class="k">def</span> <span class="nf">create</span> <span class="n">auth</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">env</span><span class="p">[</span><span class="s2">"omniauth.auth"</span><span class="p">]</span> <span class="n">uid</span> <span class="o">=</span> <span class="n">auth</span><span class="p">[</span><span class="s2">"uid"</span><span class="p">]</span> <span class="n">provider</span> <span class="o">=</span> <span class="n">auth</span><span class="p">[</span><span class="s2">"provider"</span><span class="p">]</span> <span class="n">redirect_path</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">env</span><span class="p">[</span><span class="s2">"omniauth.params"</span><span class="p">]</span><span class="o">&amp;</span><span class="p">.</span><span class="nf">dig</span><span class="p">(</span><span class="s2">"origin"</span><span class="p">)</span> <span class="o">||</span> <span class="n">root_path</span> <span class="n">identity</span> <span class="o">=</span> <span class="no">OmniAuthIdentity</span><span class="p">.</span><span class="nf">find_by</span><span class="p">(</span><span class="ss">uid: </span><span class="n">uid</span><span class="p">,</span> <span class="ss">provider: </span><span class="n">provider</span><span class="p">)</span> <span class="k">if</span> <span class="n">authenticated?</span> <span class="c1"># User is signed in so they are trying to link an identity with their account</span> <span class="k">if</span> <span class="n">identity</span><span class="p">.</span><span class="nf">nil?</span> <span class="c1"># No identity was found, create a new one for this user</span> <span class="no">OmniAuthIdentity</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="ss">uid: </span><span class="n">uid</span><span class="p">,</span> <span class="ss">provider: </span><span class="n">provider</span><span class="p">,</span> <span class="ss">user: </span><span class="no">Current</span><span class="p">.</span><span class="nf">user</span><span class="p">)</span> <span class="c1"># Give the user model the option to update itself with the new information</span> <span class="no">Current</span><span class="p">.</span><span class="nf">user</span><span class="p">.</span><span class="nf">signed_in_with_oauth</span><span class="p">(</span><span class="n">auth</span><span class="p">)</span> <span class="n">redirect_to</span> <span class="n">redirect_path</span><span class="p">,</span> <span class="ss">notice: </span><span class="s2">"Account linked!"</span> <span class="k">else</span> <span class="c1"># Identity was found, nothing to do</span> <span class="c1"># Check relation to current user</span> <span class="k">if</span> <span class="no">Current</span><span class="p">.</span><span class="nf">user</span> <span class="o">==</span> <span class="n">identity</span><span class="p">.</span><span class="nf">user</span> <span class="n">redirect_to</span> <span class="n">redirect_path</span><span class="p">,</span> <span class="ss">notice: </span><span class="s2">"Already linked that account!"</span> <span class="k">else</span> <span class="c1"># The identity is not associated with the current_user, illegal state</span> <span class="n">redirect_to</span> <span class="n">redirect_path</span><span class="p">,</span> <span class="ss">notice: </span><span class="s2">"Account mismatch, try signing out first!"</span> <span class="k">end</span> <span class="k">end</span> <span class="k">else</span> <span class="c1"># Check if identity was found i.e. user has visited the site before</span> <span class="k">if</span> <span class="n">identity</span><span class="p">.</span><span class="nf">nil?</span> <span class="c1"># New identity visiting the site, we are linking to an existing User or creating a new one</span> <span class="n">user</span> <span class="o">=</span> <span class="no">User</span><span class="p">.</span><span class="nf">find_by</span><span class="p">(</span><span class="ss">email_address: </span><span class="n">auth</span><span class="p">.</span><span class="nf">info</span><span class="p">.</span><span class="nf">email</span><span class="p">)</span> <span class="o">||</span> <span class="no">User</span><span class="p">.</span><span class="nf">create_from_oauth</span><span class="p">(</span><span class="n">auth</span><span class="p">)</span> <span class="n">identity</span> <span class="o">=</span> <span class="no">OmniAuthIdentity</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="ss">uid: </span><span class="n">uid</span><span class="p">,</span> <span class="ss">provider: </span><span class="n">provider</span><span class="p">,</span> <span class="ss">user: </span><span class="n">user</span><span class="p">)</span> <span class="k">end</span> <span class="n">start_new_session_for</span> <span class="n">identity</span><span class="p">.</span><span class="nf">user</span> <span class="n">redirect_to</span> <span class="n">redirect_path</span><span class="p">,</span> <span class="ss">notice: </span><span class="s2">"Signed in!"</span> <span class="k">end</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">failure</span> <span class="n">redirect_to</span> <span class="n">new_session_path</span><span class="p">,</span> <span class="ss">alert: </span><span class="s2">"Authentication failed, please try again."</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <h1> Add tests for authentication code </h1> <p>Below is a taste of some specs that test the functionality from the generator.</p> <p>For example the password reset controller tests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># spec/requests/passwords_spec.rb</span> <span class="nb">require</span> <span class="s1">'rails_helper'</span> <span class="nb">require</span> <span class="s1">'active_support/testing/time_helpers'</span> <span class="kp">include</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">Testing</span><span class="o">::</span><span class="no">TimeHelpers</span> <span class="no">RSpec</span><span class="p">.</span><span class="nf">describe</span> <span class="s2">"Password"</span><span class="p">,</span> <span class="ss">type: :request</span> <span class="k">do</span> <span class="n">fixtures</span> <span class="ss">:users</span> <span class="n">let</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">{</span> <span class="n">users</span><span class="p">(</span><span class="ss">:existing</span><span class="p">)</span> <span class="p">}</span> <span class="n">before</span><span class="p">(</span><span class="ss">:all</span><span class="p">)</span> <span class="k">do</span> <span class="no">ActionMailer</span><span class="o">::</span><span class="no">Base</span><span class="p">.</span><span class="nf">deliveries</span><span class="p">.</span><span class="nf">clear</span> <span class="k">end</span> <span class="n">describe</span> <span class="s2">"GET /passwords/new"</span> <span class="k">do</span> <span class="n">it</span> <span class="s2">"returns http success"</span> <span class="k">do</span> <span class="n">get</span> <span class="s2">"/passwords/new"</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">).</span><span class="nf">to</span> <span class="n">have_http_status</span><span class="p">(</span><span class="ss">:success</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> <span class="n">describe</span> <span class="s2">"POST /passwords"</span> <span class="k">do</span> <span class="n">it</span> <span class="s2">"creating a password reset sends an email and show instructions"</span> <span class="k">do</span> <span class="c1"># TODO: need to decide whether to enqueue or perform jobs</span> <span class="c1"># for the moment, request spec will perform jobs, while model spec will enqueue jobs</span> <span class="n">perform_enqueued_jobs</span> <span class="k">do</span> <span class="n">post</span> <span class="n">passwords_path</span><span class="p">,</span> <span class="ss">params: </span><span class="p">{</span> <span class="ss">email_address: </span><span class="n">user</span><span class="p">.</span><span class="nf">email_address</span> <span class="p">}</span> <span class="k">end</span> <span class="c1"># expect do</span> <span class="c1"># post passwords_path, params: { email_address: user.email_address }</span> <span class="c1"># end.to have_enqueued_email(PasswordMailer, :reset).exactly(:once)</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">).</span><span class="nf">to</span> <span class="n">redirect_to</span> <span class="n">new_session_path</span> <span class="n">follow_redirect!</span> <span class="n">assert_select</span> <span class="s2">"div"</span><span class="p">,</span> <span class="ss">text: </span><span class="s2">"Password reset instructions sent (if user with that email address exists)."</span> <span class="n">expect</span><span class="p">(</span><span class="no">ActionMailer</span><span class="o">::</span><span class="no">Base</span><span class="p">.</span><span class="nf">deliveries</span><span class="p">.</span><span class="nf">size</span><span class="p">).</span><span class="nf">to</span> <span class="n">eq</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="no">ActionMailer</span><span class="o">::</span><span class="no">Base</span><span class="p">.</span><span class="nf">deliveries</span><span class="p">.</span><span class="nf">first</span><span class="p">.</span><span class="nf">tap</span> <span class="k">do</span> <span class="o">|</span><span class="n">mail</span><span class="o">|</span> <span class="n">content</span> <span class="o">=</span> <span class="n">mail</span><span class="p">.</span><span class="nf">html_part</span><span class="p">.</span><span class="nf">body</span><span class="p">.</span><span class="nf">to_s</span> <span class="n">token</span> <span class="o">=</span> <span class="n">content</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="sr">/passwords\/(.+)\/edit"/</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="n">expect</span><span class="p">(</span><span class="no">User</span><span class="p">.</span><span class="nf">find_by_password_reset_token!</span><span class="p">(</span><span class="n">token</span><span class="p">)).</span><span class="nf">to</span> <span class="n">eq</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="n">describe</span> <span class="s2">"GET /passwords/:token/edit"</span> <span class="k">do</span> <span class="n">it</span> <span class="s2">"returns http success"</span> <span class="k">do</span> <span class="n">get</span> <span class="n">edit_password_path</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nf">password_reset_token</span><span class="p">)</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">).</span><span class="nf">to</span> <span class="n">have_http_status</span><span class="p">(</span><span class="ss">:success</span><span class="p">)</span> <span class="n">assert_select</span> <span class="s2">"form"</span> <span class="k">end</span> <span class="k">end</span> <span class="n">describe</span> <span class="s2">"PUT /passwords/:token"</span> <span class="k">do</span> <span class="n">it</span> <span class="s2">"changes to users password with a valid token"</span> <span class="k">do</span> <span class="n">token</span> <span class="o">=</span> <span class="n">user</span><span class="p">.</span><span class="nf">password_reset_token</span> <span class="n">expect</span> <span class="k">do</span> <span class="n">patch</span> <span class="n">password_path</span><span class="p">(</span><span class="n">token</span><span class="p">),</span> <span class="ss">params: </span><span class="p">{</span> <span class="ss">password: </span><span class="s2">"W3lcome?"</span><span class="p">,</span> <span class="ss">password_confirmation: </span><span class="s2">"somethingelse"</span> <span class="p">}</span> <span class="k">end</span><span class="p">.</span><span class="nf">not_to</span> <span class="n">change</span> <span class="p">{</span> <span class="n">user</span><span class="p">.</span><span class="nf">password_digest</span> <span class="p">}</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">).</span><span class="nf">to</span> <span class="n">redirect_to</span><span class="p">(</span><span class="n">edit_password_path</span><span class="p">(</span><span class="n">token</span><span class="p">))</span> <span class="n">expect</span> <span class="k">do</span> <span class="n">patch</span> <span class="n">password_path</span><span class="p">(</span><span class="n">token</span><span class="p">),</span> <span class="ss">params: </span><span class="p">{</span> <span class="ss">password: </span><span class="s2">"short"</span><span class="p">,</span> <span class="ss">password_confirmation: </span><span class="s2">"short"</span> <span class="p">}</span> <span class="k">end</span><span class="p">.</span><span class="nf">not_to</span> <span class="n">change</span> <span class="p">{</span> <span class="n">user</span><span class="p">.</span><span class="nf">password_digest</span> <span class="p">}</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">).</span><span class="nf">to</span> <span class="n">redirect_to</span><span class="p">(</span><span class="n">edit_password_path</span><span class="p">(</span><span class="n">token</span><span class="p">))</span> <span class="n">expect</span> <span class="k">do</span> <span class="n">patch</span> <span class="n">password_path</span><span class="p">(</span><span class="n">token</span><span class="p">),</span> <span class="ss">params: </span><span class="p">{</span> <span class="ss">password: </span><span class="s2">"W3lcome?"</span> <span class="p">}</span> <span class="k">end</span><span class="p">.</span><span class="nf">to</span> <span class="n">change</span> <span class="p">{</span> <span class="n">user</span><span class="p">.</span><span class="nf">reload</span><span class="p">.</span><span class="nf">password_digest</span> <span class="p">}</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">).</span><span class="nf">to</span> <span class="n">redirect_to</span><span class="p">(</span><span class="n">new_session_path</span><span class="p">)</span> <span class="n">expect</span><span class="p">(</span><span class="no">User</span><span class="p">.</span><span class="nf">authenticate_by</span><span class="p">(</span><span class="ss">email_address: </span><span class="n">user</span><span class="p">.</span><span class="nf">email_address</span><span class="p">,</span> <span class="ss">password: </span><span class="s2">"W3lcome?"</span><span class="p">)).</span><span class="nf">to_not</span> <span class="n">be_nil</span> <span class="c1"># Reset the token after a successful password change</span> <span class="n">token</span> <span class="o">=</span> <span class="n">user</span><span class="p">.</span><span class="nf">password_reset_token</span> <span class="n">expect</span> <span class="k">do</span> <span class="n">patch</span> <span class="n">password_path</span><span class="p">(</span><span class="n">token</span><span class="p">),</span> <span class="ss">params: </span><span class="p">{</span> <span class="ss">password: </span><span class="s2">"W3lcome?"</span><span class="p">,</span> <span class="ss">password_confirmation: </span><span class="s2">"W3lcome?"</span> <span class="p">}</span> <span class="k">end</span><span class="p">.</span><span class="nf">to</span> <span class="n">change</span> <span class="p">{</span> <span class="n">user</span><span class="p">.</span><span class="nf">reload</span><span class="p">.</span><span class="nf">password_digest</span> <span class="p">}</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">).</span><span class="nf">to</span> <span class="n">redirect_to</span><span class="p">(</span><span class="n">new_session_path</span><span class="p">)</span> <span class="n">expect</span><span class="p">(</span><span class="no">User</span><span class="p">.</span><span class="nf">authenticate_by</span><span class="p">(</span><span class="ss">email_address: </span><span class="n">user</span><span class="p">.</span><span class="nf">email_address</span><span class="p">,</span> <span class="ss">password: </span><span class="s2">"W3lcome?"</span><span class="p">)).</span><span class="nf">to_not</span> <span class="n">be_nil</span> <span class="k">end</span> <span class="k">end</span> <span class="n">it</span> <span class="s2">"does not change a user's password with an expired token"</span> <span class="k">do</span> <span class="n">token</span> <span class="o">=</span> <span class="n">user</span><span class="p">.</span><span class="nf">password_reset_token</span> <span class="n">travel_to</span> <span class="mi">16</span><span class="p">.</span><span class="nf">minutes</span><span class="p">.</span><span class="nf">from_now</span> <span class="n">expect</span> <span class="k">do</span> <span class="n">patch</span> <span class="n">password_path</span><span class="p">(</span><span class="n">token</span><span class="p">),</span> <span class="ss">params: </span><span class="p">{</span> <span class="ss">password: </span><span class="s2">"W3lcome?"</span><span class="p">,</span> <span class="ss">password_confirmation: </span><span class="s2">"W3lcome?"</span> <span class="p">}</span> <span class="k">end</span><span class="p">.</span><span class="nf">not_to</span> <span class="n">change</span> <span class="p">{</span> <span class="n">user</span><span class="p">.</span><span class="nf">password_digest</span> <span class="p">}</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">).</span><span class="nf">to</span> <span class="n">redirect_to</span><span class="p">(</span><span class="n">new_password_path</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>Or the session controller tests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># spec/requests/sessions_spec.rb</span> <span class="nb">require</span> <span class="s1">'rails_helper'</span> <span class="no">RSpec</span><span class="p">.</span><span class="nf">describe</span> <span class="s2">"Sessions"</span><span class="p">,</span> <span class="ss">type: :request</span> <span class="k">do</span> <span class="n">fixtures</span> <span class="ss">:users</span> <span class="n">let</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">{</span> <span class="n">users</span><span class="p">(</span><span class="ss">:existing</span><span class="p">)</span> <span class="p">}</span> <span class="n">describe</span> <span class="s2">"GET /session/new"</span> <span class="k">do</span> <span class="n">it</span> <span class="s2">"returns http success"</span> <span class="k">do</span> <span class="n">get</span> <span class="s2">"/session/new"</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">).</span><span class="nf">to</span> <span class="n">have_http_status</span><span class="p">(</span><span class="ss">:success</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> <span class="n">describe</span> <span class="s2">"POST /session"</span> <span class="k">do</span> <span class="n">it</span> <span class="s2">"sign a user in when credentials are valid"</span> <span class="k">do</span> <span class="n">user</span><span class="p">.</span><span class="nf">sessions</span><span class="p">.</span><span class="nf">destroy_all</span> <span class="n">expect</span> <span class="k">do</span> <span class="n">post</span> <span class="n">session_path</span><span class="p">,</span> <span class="ss">params: </span><span class="p">{</span> <span class="ss">email_address: </span><span class="n">user</span><span class="p">.</span><span class="nf">email_address</span><span class="p">,</span> <span class="ss">password: </span><span class="s2">"password"</span> <span class="p">}</span> <span class="k">end</span><span class="p">.</span><span class="nf">to</span> <span class="n">change</span> <span class="p">{</span> <span class="n">user</span><span class="p">.</span><span class="nf">sessions</span><span class="p">.</span><span class="nf">count</span> <span class="p">}.</span><span class="nf">from</span><span class="p">(</span><span class="mi">0</span><span class="p">).</span><span class="nf">to</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">end</span> <span class="n">it</span> <span class="s2">"does not sign a user in when credentials are invalid"</span> <span class="k">do</span> <span class="n">user</span><span class="p">.</span><span class="nf">sessions</span><span class="p">.</span><span class="nf">destroy_all</span> <span class="n">expect</span> <span class="k">do</span> <span class="n">post</span> <span class="n">session_path</span><span class="p">,</span> <span class="ss">params: </span><span class="p">{</span> <span class="ss">email_address: </span><span class="n">user</span><span class="p">.</span><span class="nf">email_address</span><span class="p">,</span> <span class="ss">password: </span><span class="s2">"wrong-password"</span> <span class="p">}</span> <span class="k">end</span><span class="p">.</span><span class="nf">not_to</span> <span class="n">change</span> <span class="p">{</span> <span class="n">user</span><span class="p">.</span><span class="nf">sessions</span><span class="p">.</span><span class="nf">count</span> <span class="p">}</span> <span class="k">end</span> <span class="k">end</span> <span class="n">describe</span> <span class="s2">"DELETE /session"</span> <span class="k">do</span> <span class="n">it</span> <span class="s2">"sign a user out"</span> <span class="k">do</span> <span class="n">post</span> <span class="n">session_path</span><span class="p">,</span> <span class="ss">params: </span><span class="p">{</span> <span class="ss">email_address: </span><span class="n">user</span><span class="p">.</span><span class="nf">email_address</span><span class="p">,</span> <span class="ss">password: </span><span class="s2">"password"</span> <span class="p">}</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">).</span><span class="nf">to</span> <span class="n">redirect_to</span> <span class="n">root_path</span> <span class="n">expect</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nf">reload</span><span class="p">.</span><span class="nf">sessions</span><span class="p">.</span><span class="nf">count</span><span class="p">).</span><span class="nf">to</span> <span class="n">eq</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">follow_redirect!</span> <span class="n">expect</span> <span class="k">do</span> <span class="n">delete</span> <span class="n">session_path</span> <span class="k">end</span><span class="p">.</span><span class="nf">to</span> <span class="n">change</span> <span class="p">{</span> <span class="n">user</span><span class="p">.</span><span class="nf">sessions</span><span class="p">.</span><span class="nf">count</span> <span class="p">}.</span><span class="nf">from</span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="nf">to</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">expect</span><span class="p">(</span><span class="n">response</span><span class="p">).</span><span class="nf">to</span> <span class="n">redirect_to</span> <span class="n">new_session_path</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <h1> Shameless plug </h1> <p>The original article can be found here: <a href="https://railsguru.dev/lessons/rails-8-oauth-and-rspec-tests" rel="noopener noreferrer">https://railsguru.dev/lessons/rails-8-oauth-and-rspec-tests</a><br> It's posted on <a href="https://railsguru.dev" rel="noopener noreferrer">railsguru.dev</a>, a learning hub for all things Ruby on Rails that I'm building up. Please check it out and share your thoughts.</p> <p>You can also follow me on X under <a href="https://x.com/railsguru_dev" rel="noopener noreferrer">@railsguru_dev</a></p> rails testing webdev programming Minimalistic Authentication in Rails 1klap Mon, 30 Oct 2023 15:44:16 +0000 https://dev.to/1klap/user-auth-in-rails-without-devise-a-step-into-a-simpler-world-17hi https://dev.to/1klap/user-auth-in-rails-without-devise-a-step-into-a-simpler-world-17hi <p>I have used devise in the past for user authentication and while it is a powerful gem, it certainly imposes a lot of restrictions on you. </p> <p>Most of the time, it is so closed off that you cannot even open the hood and tweak it to your needs. I think this comes mostly from the fact, that it concerns itself with just <em>too much</em>. From verification of a password up to tracking of failed sign-ins, there is a lot that seems to be possible with devise, what bothers me is that i can't take over some part if devise's solutions does not work for me.</p> <p>So, for my projects, I wanted to get rid of the cruft and start with minimal solutions. One first step on this journey is<br> <strong>Tinytokenauth-rails</strong> <a href="https://github.com/1klap/tinytokenauth-rails">https://github.com/1klap/tinytokenauth-rails</a></p> <p>It just concerns itself with the problem, how does any controller know whether a user is signed in or not (if yes, who is it) and how to sign a given user in or out.</p> <p>With this, the task (and freedom) to come up with a solution for the required work around this, falls to the developer. Like model creation, password checking, controller and routes for registration and session, email sending, password change handling, etc. But this is also the part where customization can and will occur. Like when you want to sign up users with an invite token or a referral code, it will be trivial to add when you are handling the sign-up code yourself.</p> <p>To me, this make most sense. I while I agree that not every developer should write his own authentication code from scratch, because this can be hard problems with subtle caveats, I also think that this should not be considered arcane craft that must never be touched.</p> <p>I am happy for the increase in flexibilty. If you crave the same, try out the gem and let me know in the comment section here or on github how you like it.</p> rails webdev programming authentication Rails 7: production deploy from scratch (Ubuntu 22.04 edition) 1klap Thu, 02 Feb 2023 22:59:25 +0000 https://dev.to/1klap/rails-7-production-deploy-from-scratch-ubuntu-2204-edition-pm7 https://dev.to/1klap/rails-7-production-deploy-from-scratch-ubuntu-2204-edition-pm7 <p>Here's how i setup my rails 7 deployments, starting from a fresh ubuntu 22.04 install and root user ssh access.<br> Part of the stack will be rbenv, nginx, passenger, postgres and capistrano, with options to set up yarn and node as well.</p> <p>Replace <code>vim</code> with <code>nano</code> if you prefer to use the worse text editor.</p> <h2> Prereq </h2> <ul> <li>DNS is set up</li> <li>you have a SSH key generated (if not, simply run ssh-keygen)</li> </ul> <h2> User setup </h2> <h3> Connect as root [local] </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>ssh root@&lt;your-url&gt; </code></pre> </div> <h3> Add non-root user [remote] </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>adduser devops <span class="c"># set password 'devops_user_password'</span> <span class="nv">$ </span>adduser devops <span class="nb">sudo</span> <span class="nv">$ </span><span class="nb">exit</span> </code></pre> </div> <h3> Connect as devops (for all steps below) [local] </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run the first command below only once</span> <span class="nv">$ </span>ssh-copy-id devops@&lt;your-url&gt; <span class="nv">$ </span>ssh devops@&lt;your-url&gt; </code></pre> </div> <h3> Disallow root login via SSH [remote] </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>vim /etc/ssh/sshd_config <span class="c"># Set line 'PermitRootLogin yes' to 'PermitRootLogin no'</span> <span class="nv">$ </span><span class="nb">sudo </span>service sshd restart </code></pre> </div> <h3> Set hostname [remote] </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>hostnamectl set-hostname &lt;your-url&gt; <span class="nv">$ </span><span class="nb">sudo </span>hostnamectl <span class="c"># check if it is set</span> </code></pre> </div> <h2> Install system dependencies [remote] </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>apt update <span class="nv">$ </span><span class="nb">sudo </span>apt upgrade <span class="nv">$ </span><span class="nb">sudo </span>apt <span class="nb">install </span>git build-essential libssl-dev zlib1g-dev libyaml-dev </code></pre> </div> <h2> Install rbenv, ruby, bundler [remote] </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>git clone https://github.com/rbenv/rbenv.git ~/.rbenv <span class="nv">$ </span><span class="nb">echo</span> <span class="s1">'eval "$(~/.rbenv/bin/rbenv init - bash)"'</span> <span class="o">&gt;&gt;</span> ~/.bashrc <span class="nv">$ </span><span class="nb">exec</span> <span class="nv">$SHELL</span> <span class="nv">$ </span>git clone https://github.com/rbenv/ruby-build.git <span class="s2">"</span><span class="si">$(</span>rbenv root<span class="si">)</span><span class="s2">"</span>/plugins/ruby-build <span class="nv">$ </span>git clone https://github.com/rbenv/rbenv-vars.git <span class="s2">"</span><span class="si">$(</span>rbenv root<span class="si">)</span><span class="s2">"</span>/plugins/rbenv-vars <span class="nv">$ </span>rbenv <span class="nb">install </span>3.2.0 <span class="nv">$ </span>rbenv global 3.2.0 <span class="c"># Test complete install with rbenv-doctor</span> <span class="nv">$ </span>curl <span class="nt">-fsSL</span> https://github.com/rbenv/rbenv-installer/raw/main/bin/rbenv-doctor | bash <span class="nv">$ </span>ruby <span class="nt">-v</span> <span class="c"># Shows ruby version number if correctly installed</span> <span class="nv">$ </span>gem <span class="nb">install </span>bundler <span class="c"># You might be prompted to update some gems, see command below</span> <span class="nv">$ </span>gem update <span class="nt">--system</span> 3.4.6 <span class="c"># Check if this is recommended after bundler installation</span> <span class="nv">$ </span>bundle <span class="nt">-v</span> <span class="c"># Shows bundler version number if correctly installed</span> </code></pre> </div> <h2> Install yarn, nvm, node (skip if not required) [remote] </h2> <p>If you generated your rails project with default javascript configuration (i.e. importmaps), then you might not need yarn, nvm and node at all.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-sS</span> https://dl.yarnpkg.com/debian/pubkey.gpg | <span class="nb">sudo </span>gpg <span class="nt">--dearmor</span> <span class="nt">-o</span> /etc/apt/trusted.gpg.d/yarn-archive-keyring.gpg <span class="nv">$ </span><span class="nb">echo</span> <span class="s2">"deb https://dl.yarnpkg.com/debian/ stable main"</span> | <span class="nb">sudo tee</span> /etc/apt/sources.list.d/yarn.list <span class="nv">$ </span><span class="nb">sudo </span>apt <span class="nb">install </span>yarn <span class="nv">$ </span>yarn <span class="nt">-v</span> <span class="c"># Shows yarn version number if correctly installed</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl https://raw.githubusercontent.com/creationix/nvm/master/install.sh | bash <span class="nv">$ </span><span class="nb">exec</span> <span class="nv">$SHELL</span> <span class="nv">$ </span>nvm <span class="nb">install </span>16 <span class="nv">$ </span>node <span class="nt">-v</span> <span class="c"># Shows node version number if correctly installed</span> <span class="nv">$ </span><span class="c"># npm install -g esbuild # Uncomment if you package javascript with esbuild</span> <span class="nv">$ </span><span class="c"># esbuild --version</span> <span class="nv">$ </span><span class="c"># npm install -g typescript # If needed</span> <span class="nv">$ </span><span class="c"># npm install -g sass # If needed</span> </code></pre> </div> <h2> Install nginx, passenger [remote] </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key.txt | gpg <span class="nt">--dearmor</span> | <span class="nb">sudo tee</span> /etc/apt/trusted.gpg.d/phusion-keyring.gpg <span class="o">&gt;</span>/dev/null <span class="nv">$ </span><span class="nb">sudo </span>sh <span class="nt">-c</span> <span class="s1">'echo deb https://oss-binaries.phusionpassenger.com/apt/passenger jammy main &gt; /etc/apt/sources.list.d/passenger.list'</span> <span class="nv">$ </span><span class="nb">sudo </span>apt update <span class="nv">$ </span><span class="nb">sudo </span>apt <span class="nb">install </span>nginx-extras libnginx-mod-http-passenger <span class="nv">$ </span><span class="nb">sudo </span>vim /etc/nginx/conf.d/mod-http-passenger.conf <span class="c"># Change the path to rbenv ruby</span> passenger_ruby /home/devops/.rbenv/shims/ruby<span class="p">;</span> <span class="nv">$ </span><span class="nb">sudo </span>service nginx restart <span class="nv">$ </span><span class="nb">sudo </span>service nginx status <span class="nv">$ </span><span class="nb">sudo</span> /usr/bin/passenger-config validate-install <span class="c"># Looks ok?</span> <span class="nv">$ </span><span class="nb">sudo</span> /usr/sbin/passenger-memory-stats <span class="c"># Looks ok?</span> <span class="nv">$ </span><span class="nb">sudo rm</span> /etc/nginx/sites-enabled/default <span class="nv">$ </span><span class="nb">sudo </span>vim /etc/nginx/sites-available/&lt;your-url&gt; <span class="c"># Example conf</span> server <span class="o">{</span> server_name &lt;your-url&gt;<span class="p">;</span> <span class="c"># server_name _;</span> root /home/devops/&lt;your-url&gt;/current/public<span class="p">;</span> <span class="c">#client_max_body_size 25m; # Set max upload size</span> passenger_enabled on<span class="p">;</span> passenger_app_env production<span class="p">;</span> <span class="c"># Uncomment if you use ActionCable and/or Turbo Streams</span> <span class="c"># location /cable {</span> <span class="c"># passenger_app_group_name APPNAME_ws;</span> <span class="c"># passenger_force_max_concurrent_requests_per_process 0;</span> <span class="c"># }</span> location ~ ^/assets <span class="o">{</span> expires max<span class="p">;</span> gzip_static on<span class="p">;</span> <span class="o">}</span> listen 80<span class="p">;</span> listen <span class="o">[</span>::]:80<span class="p">;</span> <span class="o">}</span> <span class="nv">$ </span><span class="nb">sudo ln</span> <span class="nt">-s</span> /etc/nginx/sites-available/&lt;your-url&gt; /etc/nginx/sites-enabled/&lt;your-url&gt; <span class="nv">$ </span><span class="nb">sudo </span>service nginx restart <span class="c"># Check error log if required (like after deploy)</span> <span class="nv">$ </span><span class="nb">sudo </span>vim /var/log/nginx/error.log </code></pre> </div> <h3> Install SSL cert </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>apt <span class="nb">install </span>snapd <span class="nv">$ </span><span class="nb">sudo </span>snap <span class="nb">install </span>core<span class="p">;</span> <span class="nb">sudo </span>snap refresh core <span class="nv">$ </span><span class="nb">sudo </span>snap <span class="nb">install</span> <span class="nt">--classic</span> certbot <span class="nv">$ </span><span class="nb">sudo </span>certbot <span class="nt">--nginx</span> <span class="c"># Follow instructions</span> </code></pre> </div> <h3> Enable HTTP2 on nginx </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>vim /etc/nginx/sites-available/&lt;your-url&gt; <span class="c"># Add http2 to listen command, see below</span> <span class="c"># listen [::]:443 ssl http2 ipv6only=on;</span> <span class="c"># listen 443 ssl http2;</span> <span class="nv">$ </span><span class="nb">sudo </span>service nginx restart </code></pre> </div> <h2> Install postgresql [remote] </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>apt <span class="nb">install </span>postgresql postgresql-contrib libpq-dev <span class="nv">$ </span><span class="nb">sudo </span>service postgresql@14-main status <span class="nv">$ </span><span class="nb">sudo </span>su - postgres <span class="c"># execute the following as postgres user</span> <span class="nv">$ </span>createuser <span class="nt">--pwprompt</span> postgres_production <span class="c"># Enter password</span> <span class="nv">$ </span>createdb <span class="nt">-O</span> postgres_production &lt;your-app-name&gt;_production <span class="c"># check db existence with 'psql' then '\l', quit with '\q'</span> <span class="nv">$ </span><span class="nb">exit</span> </code></pre> </div> <h2> Set env vars [remote] </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">mkdir</span> ~/&lt;your-url&gt; <span class="nv">$ </span><span class="nb">cd</span> ~/&lt;your-url&gt; <span class="nv">$ </span>vim .rbenv-vars <span class="c"># Required: </span> <span class="nv">RAILS_MASTER_KEY</span><span class="o">=</span>&lt;master.key content&gt; <span class="nv">SECRET_KEY_BASE</span><span class="o">=</span>&lt;some random sequence&gt; <span class="c"># use local bundle exec rake secret</span> <span class="nv">RAILS_ENV</span><span class="o">=</span>production </code></pre> </div> <h2> capistrano setup (once per project) [local] </h2> <p>Add capistrano gems to <code>development</code> group in your <code>Gemfile</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>group :development do ... # Deployment gem 'capistrano', "~&gt; 3.17", require: false gem 'capistrano-rails', "~&gt; 1.6", "&gt;= 1.6.2", require: false gem 'capistrano-passenger', "~&gt; 0.2", "&gt;= 0.2.1", require: false gem 'capistrano-rbenv', "~&gt; 2.2", require: false gem 'ed25519', '&gt;= 1.2', '&lt; 2.0', require: false gem 'bcrypt_pbkdf', '&gt;= 1.0', '&lt; 2.0', require: false ... end </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>bundle <span class="nb">install</span> <span class="nv">$ </span>bundle <span class="nb">exec </span>cap <span class="nb">install</span> </code></pre> </div> <p>in the file <code>Capfile</code> require the following modules<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="nb">require</span> <span class="s2">"capistrano/rbenv"</span> <span class="nb">require</span> <span class="s2">"capistrano/rails"</span> <span class="nb">require</span> <span class="s2">"capistrano/passenger"</span> </code></pre> </div> <p>in the file <code>config/deploy.rb</code> set the following configs<br> add your public SSH key to github<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">set</span> <span class="ss">:rbenv_ruby</span><span class="p">,</span> <span class="s1">'3.2.0'</span> <span class="n">set</span> <span class="ss">:application</span><span class="p">,</span> <span class="s2">"&lt;your-url&gt;"</span> <span class="n">set</span> <span class="ss">:repo_url</span><span class="p">,</span> <span class="s2">"git@github.com:&lt;your_github_handle&gt;/&lt;your_github_repo&gt;.git"</span> <span class="n">set</span> <span class="ss">:deploy_to</span><span class="p">,</span> <span class="s2">"~/</span><span class="si">#{</span><span class="n">fetch</span> <span class="ss">:application</span><span class="si">}</span><span class="s2">"</span> <span class="c1"># Issue with propshaft as asset pipwlinw</span> <span class="c1"># See: https://github.com/capistrano/rails/issues/257</span> <span class="c1"># Workaround</span> <span class="n">set</span> <span class="ss">:assets_manifests</span><span class="p">,</span> <span class="o">-&gt;</span> <span class="p">{</span> <span class="p">[</span><span class="n">release_path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="s2">"public"</span><span class="p">,</span> <span class="n">fetch</span><span class="p">(</span><span class="ss">:assets_prefix</span><span class="p">),</span> <span class="s1">'.manifest.json'</span><span class="p">)]</span> <span class="p">}</span> </code></pre> </div> <p>in the file <code>config/deploy.rb</code> set the following configs<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">server</span> <span class="s1">'&lt;your-url&gt;'</span><span class="p">,</span> <span class="ss">user: </span><span class="s1">'devops'</span><span class="p">,</span> <span class="ss">roles: </span><span class="sx">%w{app db web}</span> <span class="n">set</span> <span class="ss">:branch</span><span class="p">,</span> <span class="s2">"main"</span> </code></pre> </div> <h2> Deploy [local] </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># if ssh-key is not recognized run the following two commands</span> <span class="nv">$ </span><span class="nb">eval</span> <span class="sb">`</span>ssh-agent<span class="sb">`</span> <span class="nv">$ </span>ssh-add ~/.ssh/id_rsa <span class="c"># Deployment</span> <span class="nv">$ </span>cap production deploy </code></pre> </div> <h2> Security (optional but recommended) [remote] </h2> <h3> Set up firewall </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo </span>ufw default allow outgoing <span class="nv">$ </span><span class="nb">sudo </span>ufw default deny incoming <span class="nv">$ </span><span class="nb">sudo </span>ufw allow ssh <span class="nv">$ </span><span class="nb">sudo </span>ufw allow 80/tcp comment <span class="s1">'accept http'</span> <span class="nv">$ </span><span class="nb">sudo </span>ufw allow 443/tcp comment <span class="s1">'accept https'</span> <span class="nv">$ </span><span class="nb">sudo </span>ufw <span class="nb">enable</span> <span class="nv">$ </span><span class="nb">sudo </span>ufw status </code></pre> </div> <h3> Set up fail2ban </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo sudo </span>apt update<span class="p">;</span> <span class="nb">sudo </span>apt upgrade <span class="nv">$ </span><span class="nb">sudo </span>apt <span class="nb">install </span>fail2ban <span class="nv">$ </span><span class="c"># sudo apt install sendmail # do this only if you want to config sending fail2ban reports</span> <span class="nv">$ </span><span class="nb">sudo </span>systemctl <span class="nb">enable </span>fail2ban <span class="nv">$ </span><span class="nb">sudo </span>systemctl start fail2ban <span class="c"># .local files overwrite values from .conf files</span> <span class="nv">$ </span><span class="nb">sudo cp</span> /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local <span class="nv">$ </span><span class="nb">sudo </span>vim /etc/fail2ban/fail2ban.local <span class="nv">$ </span><span class="nb">sudo cp</span> /etc/fail2ban/jail.conf /etc/fail2ban/jail.local <span class="c"># This is the main config file, defaults for sshd are ok</span> <span class="nv">$ </span><span class="nb">sudo </span>vim /etc/fail2ban/jail.local <span class="nv">$ </span><span class="nb">sudo </span>fail2ban-client status <span class="c"># detail of sshd jail</span> <span class="nv">$ </span><span class="nb">sudo </span>fail2ban-client status sshd </code></pre> </div> <p>How did your deployment go? Anything you like to do differently? Leave a comment below!</p> help webdev website ui Rails 7 new production install: from zero to deploy (Ubuntu 20.04 edition) 1klap Tue, 01 Feb 2022 12:54:16 +0000 https://dev.to/1klap/rails-7-new-production-install-from-zero-to-deploy-ubuntu-2004-edition-10d1 https://dev.to/1klap/rails-7-new-production-install-from-zero-to-deploy-ubuntu-2004-edition-10d1 <p>This is my recipe to install a brand new Rails 7 app <strong>without</strong> Node pipeline on a fresh Ubuntu 20.04 server with shell access.</p> <p>Ingredients:</p> <ul> <li>Ubuntu 20.04</li> <li>rbenv and Ruby 3.0.3</li> <li>Rails 7 without Node.js</li> <li>Postgres and Redis</li> <li>Nginx, Passenger, Capistrano</li> </ul> <p><strong>Note</strong>: Replace UPPERCASE words with your own setup details.<br> <strong>Note 2</strong>: I use vim to edit files, you can and should replace <code>vim</code> with <code>nano</code> or any other editor of choice if you're not familiar with it.<br> <strong>Note 3</strong>: Always use random and long passwords, don't share them between applications and don't lose them. Also never commit unencrypted secrets to public repos.</p> <blockquote> <p>This recipe works for me, but I would love to hear your thoughts on how it went for you! If something breaks or you do it differently, leave a comment below so I and the community can discuss and help out.</p> </blockquote> <h2> SSH Setup </h2> <h4> Local </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>ssh root@SERVER_IP_ADDRESS <span class="c"># Enter password</span> </code></pre> </div> <h4> Remote </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>adduser deploy <span class="c"># Create password, skip rest</span> <span class="nv">$ </span>adduser deploy <span class="nb">sudo</span> <span class="nv">$ </span><span class="nb">exit</span> </code></pre> </div> <h4> Local - (optional) Add sshkey for easier login </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># You need a ssh-key generated beforehand, run command</span> <span class="c"># below if you never did that before and follow instructions</span> <span class="c"># ssh-keygen </span> <span class="nv">$ </span>ssh-copy-id deploy@SERVER_IP_ADDRESS <span class="c"># Enter password</span> <span class="nv">$ </span>ssh deploy@SERVER_IP_ADDRESS </code></pre> </div> <h4> Remote - (optional) Disallow root login via ssh </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">sudo </span>vim /etc/ssh/sshd_config <span class="c"># Set line 'PermitRootLogin yes' to 'PermitRootLogin no'</span> <span class="nv">$ </span><span class="nb">sudo </span>service sshd restart </code></pre> </div> <h4> Remote - (optional) Set hostname </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">sudo </span>hostnamectl set-hostname HOSTNAME <span class="nv">$ </span><span class="nb">sudo </span>hostnamectl </code></pre> </div> <h2> rbenv and Ruby install </h2> <h4> Remote </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">sudo </span>apt update<span class="p">;</span> <span class="nb">sudo </span>apt upgrade <span class="nt">-y</span> <span class="nv">$ </span><span class="nb">sudo </span>apt <span class="nb">install </span>rbenv <span class="nv">$ </span>rbenv init <span class="c"># Follow instructions: append 'eval "$(rbenv init -)"' to ~/.bashrc</span> <span class="nv">$ </span><span class="nb">source</span> ~/.bashrc <span class="c"># or disconnect and reconnect</span> <span class="nv">$ </span><span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="si">$(</span>rbenv root<span class="si">)</span><span class="s2">"</span>/plugins <span class="nv">$ </span><span class="nb">sudo </span>apt <span class="nb">install </span>git <span class="nv">$ </span>git clone https://github.com/rbenv/ruby-build.git <span class="s2">"</span><span class="si">$(</span>rbenv root<span class="si">)</span><span class="s2">"</span>/plugins/ruby-build <span class="nv">$ </span>git clone https://github.com/rbenv/rbenv-vars.git <span class="s2">"</span><span class="si">$(</span>rbenv root<span class="si">)</span><span class="s2">"</span>/plugins/rbenv-vars <span class="nv">$ </span>curl <span class="nt">-fsSL</span> https://github.com/rbenv/rbenv-installer/raw/main/bin/rbenv-doctor | bash <span class="nv">$ </span>rbenv <span class="nb">install </span>3.0.3 </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fre1qu01y8lz3lar7w4p0.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fre1qu01y8lz3lar7w4p0.jpg" alt="Baking Ingredients"></a></p> <blockquote> <p>Image by <a href="https://www.rawpixel.com" rel="noopener noreferrer">rawpixel</a></p> </blockquote> <h2> Webserver Setup </h2> <h4> Nginx install (remote) </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">sudo </span>apt <span class="nb">install </span>nginx </code></pre> </div> <h4> Passenger install (remote) </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">sudo </span>apt-key adv <span class="nt">--keyserver</span> hkp://keyserver.ubuntu.com:80 <span class="nt">--recv-keys</span> 561F9B9CAC40B2F7 <span class="nv">$ </span><span class="nb">sudo </span>sh <span class="nt">-c</span> <span class="s1">'echo deb https://oss-binaries.phusionpassenger.com/apt/passenger focal main &gt; /etc/apt/sources.list.d/passenger.list'</span> <span class="nv">$ </span><span class="nb">sudo </span>apt <span class="nb">install </span>ca-certificates <span class="nv">$ </span><span class="nb">sudo </span>apt update <span class="nv">$ </span><span class="nb">sudo </span>apt <span class="nb">install </span>libnginx-mod-http-passenger <span class="nv">$ </span><span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> /etc/nginx/modules-enabled/50-mod-http-passenger.conf <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">sudo ln</span> <span class="nt">-s</span> /usr/share/nginx/modules-available/mod-http-passenger.load /etc/nginx/modules-enabled/50-mod-http-passenger.conf <span class="p">;</span> <span class="k">fi</span> <span class="nv">$ </span><span class="nb">sudo ls</span> /etc/nginx/conf.d/mod-http-passenger.conf <span class="c"># Verify that file exists</span> <span class="nv">$ </span><span class="nb">sudo </span>vim /etc/nginx/conf.d/mod-http-passenger.conf <span class="c"># Change passenger_ruby line to to following (without #): </span> <span class="c"># passenger_ruby /home/deploy/.rbenv/shims/ruby;</span> <span class="nv">$ </span><span class="nb">sudo </span>service nginx restart <span class="nv">$ </span><span class="nb">sudo</span> /usr/bin/passenger-config validate-install <span class="nv">$ </span><span class="nb">sudo</span> /usr/sbin/passenger-memory-stats </code></pre> </div> <h4> Config Nginx (remote) </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">sudo rm</span> /etc/nginx/sites-enabled/default <span class="nv">$ </span><span class="nb">sudo </span>vim /etc/nginx/sites-available/APPNAME </code></pre> </div> <p>Insert content below</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> server { listen 80; listen [::]:80; server_name YOUR_DOMAIN.ORG; # If you deploy without DNS and SSL, you could leave servername blank like below # server_name _; root /home/deploy/APPNAME/current/public; client_max_body_size 10m; # Set max upload size passenger_enabled on; passenger_app_env production; passenger_env_var RUBYOPT '-r bundler/setup'; # Cf issue: https://github.com/phusion/passenger/issues/2409 # Uncomment if you use ActionCable and/or Turbo Streams # location /cable { # passenger_app_group_name APPNAME_ws; # passenger_force_max_concurrent_requests_per_process 0; # } location ~ ^/assets { expires max; gzip_static on; } } </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">sudo ln</span> <span class="nt">-s</span> /etc/nginx/sites-available/APPNAME /etc/nginx/sites-enabled/APPNAME <span class="nv">$ </span><span class="nb">sudo </span>service nginx reload </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fki715rkehq8ltsk0b43g.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fki715rkehq8ltsk0b43g.jpg" alt="Dough formed to bread buns"></a></p> <blockquote> <p>Image by <a href="https://www.rawpixel.com" rel="noopener noreferrer">rawpixel</a></p> </blockquote> <h2> Database Setup </h2> <h4> Postgres install (remote) </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">sudo </span>apt <span class="nb">install </span>postgresql postgresql-contrib libpq-dev <span class="nv">$ </span><span class="nb">sudo </span>service postgresql@12-main status <span class="nv">$ </span><span class="nb">sudo </span>su - postgres <span class="nv">$ </span>createuser <span class="nt">--pwprompt</span> deploy <span class="c"># Enter password</span> <span class="nv">$ </span>createdb <span class="nt">-O</span> deploy DBNAME <span class="c"># check db existence with 'psql' then '\l', quit with '\q'</span> <span class="nv">$ </span><span class="nb">exit</span> </code></pre> </div> <h4> Redis install (remote) - Skip if you don't use ActionCable or Turbo Streams </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">sudo </span>apt <span class="nb">install </span>redis <span class="nv">$ </span><span class="nb">sudo </span>service redis-server status </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fadkxmbj04hudgwk5lwp7.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fadkxmbj04hudgwk5lwp7.jpg" alt="Bread getting a final touch of flour"></a></p> <blockquote> <p>Image by <a href="https://www.rawpixel.com" rel="noopener noreferrer">rawpixel</a></p> </blockquote> <h2> Deploy Tool config - Capistrano </h2> <h4> Local </h4> <p>Add to <code>Gemfile</code></p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="n">group</span> <span class="ss">:development</span> <span class="k">do</span> <span class="c1"># ...</span> <span class="n">gem</span> <span class="s1">'capistrano'</span> <span class="n">gem</span> <span class="s1">'capistrano-rails'</span> <span class="n">gem</span> <span class="s1">'capistrano-passenger'</span> <span class="n">gem</span> <span class="s1">'capistrano-rbenv'</span> <span class="k">end</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>bundle <span class="nb">install</span> <span class="nv">$ </span>bundle <span class="nb">exec </span>cap <span class="nb">install </span><span class="nv">STAGES</span><span class="o">=</span>production </code></pre> </div> <p>Add to <code>Capfile</code></p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="nb">require</span> <span class="s1">'capistrano/rails'</span> <span class="nb">require</span> <span class="s1">'capistrano/passenger'</span> <span class="nb">require</span> <span class="s1">'capistrano/rbenv'</span> <span class="n">set</span> <span class="ss">:rbenv_type</span><span class="p">,</span> <span class="ss">:user</span> <span class="n">set</span> <span class="ss">:rbenv_ruby</span><span class="p">,</span> <span class="s1">'3.0.3'</span> </code></pre> </div> <p>Edit <code>config/deploy.rb</code></p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="n">set</span> <span class="ss">:application</span><span class="p">,</span> <span class="s2">"APPNAME"</span> <span class="n">set</span> <span class="ss">:repo_url</span><span class="p">,</span> <span class="s2">"git@github.com:USERNAME/APPNAME.git"</span> <span class="c1"># Also works with non-github repos, I roll my own gitolite server</span> <span class="n">set</span> <span class="ss">:deploy_to</span><span class="p">,</span> <span class="s2">"/home/deploy/</span><span class="si">#{</span><span class="n">fetch</span> <span class="ss">:application</span><span class="si">}</span><span class="s2">"</span> <span class="n">set</span> <span class="ss">:rbenv_prefix</span><span class="p">,</span> <span class="s1">'/usr/bin/rbenv exec'</span> <span class="c1"># Cf issue: https://github.com/capistrano/rbenv/issues/96</span> <span class="n">append</span> <span class="ss">:linked_dirs</span><span class="p">,</span> <span class="s1">'log'</span><span class="p">,</span> <span class="s1">'tmp/pids'</span><span class="p">,</span> <span class="s1">'tmp/cache'</span><span class="p">,</span> <span class="s1">'tmp/sockets'</span><span class="p">,</span> <span class="s1">'vendor/bundle'</span><span class="p">,</span> <span class="s1">'.bundle'</span><span class="p">,</span> <span class="s1">'public/system'</span><span class="p">,</span> <span class="s1">'public/uploads'</span> </code></pre> </div> <p>Edit <code>config/deploy/production.rb</code></p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="n">server</span> <span class="s1">'IP ADDRESS or DOMAIN'</span><span class="p">,</span> <span class="ss">user: </span><span class="s1">'deploy'</span><span class="p">,</span> <span class="ss">roles: </span><span class="sx">%w{app db web}</span> </code></pre> </div> <blockquote> <p>Parts of this section are inspired from <a href="https://gorails.com/deploy/ubuntu/20.04" rel="noopener noreferrer">GoRails</a></p> </blockquote> <h2> Deployment </h2> <h4> Remote - Prepare env vars </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">mkdir</span> ~/APPNAME <span class="nv">$ </span>vim ~/APPNAME/.rbenv-vars <span class="c"># Set envvars like</span> <span class="c"># DATABASE_URL=postgresql://deploy:PASSWORD@127.0.0.1/APPNAME</span> <span class="c"># This above can also be set in your database.yml file in your rails project if you prefer...</span> <span class="c"># RAILS_MASTER_KEY=YOUR_KEY_IN_master.key</span> <span class="c"># SECRET_KEY_BASE=SOME_OTHER_RANDOM_KEY</span> </code></pre> </div> <h4> Local - Deploy! 🍾🍾🍾 </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>bundle <span class="nb">exec </span>cap production deploy <span class="c"># Go visit your page already!</span> </code></pre> </div> <h4> Remote - Connect to console </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">cd </span>APPNAME/current <span class="nv">$ </span>bundle <span class="nb">exec </span>rails c <span class="c"># You need to have the debug gem in prod env enabled! (Gemfile)</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F11l5iqft8jac69wcnv6f.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F11l5iqft8jac69wcnv6f.jpg" alt="Bread bun being cut open"></a></p> <blockquote> <p>Image by <a href="https://www.rawpixel.com" rel="noopener noreferrer">rawpixel</a></p> </blockquote> <h2> DevOps Toolbox </h2> <p>These tools help you to stay on top of your DevOps game, if you have any other recommendations, leave a comment below.</p> <h4> Remote </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>top <span class="nv">$ </span>netstat <span class="nt">-nlp</span> <span class="nv">$ </span><span class="nb">tail</span> <span class="nt">-100</span> PATH_TO_LOGFILE <span class="nv">$ </span>hostnamectl <span class="nv">$ </span><span class="nb">df</span> <span class="nt">-h</span> <span class="nv">$ </span><span class="nb">sudo du</span> <span class="nt">-h</span> <span class="nt">-d</span> 1 / </code></pre> </div> <h4> Local </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span>dig DOMAIN </code></pre> </div> <h2> Bonus #1 - Install SSL </h2> <p>You need to have your DNS A-Record set up beforehand</p> <h4> Remote - Install Certbot </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nv">$ </span><span class="nb">sudo </span>apt <span class="nb">install </span>snapd <span class="nv">$ </span><span class="nb">sudo </span>snap <span class="nb">install </span>core<span class="p">;</span> <span class="nb">sudo </span>snap refresh core <span class="nv">$ </span><span class="nb">sudo </span>snap <span class="nb">install</span> <span class="nt">--classic</span> certbot <span class="nv">$ </span><span class="nb">sudo ln</span> <span class="nt">-s</span> /snap/bin/certbot /usr/bin/certbot <span class="nv">$ </span><span class="nb">sudo </span>certbot <span class="nt">--nginx</span> </code></pre> </div> <h2> Bonus #2 - Enable HTTP2 </h2> <h4> Remote </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> $ sudo vim /etc/nginx/sites-available/APPNAME # Add http2 to listem command, see below # listen [::]:443 ssl http2 ipv6only=on; # listen 443 ssl http2; $ sudo service nginx restart </code></pre> </div> <p>How was your last deploy or are you planning your first one? What were the biggest hurdles you had to jump? What are you doing differently? Feel free to join the discussion below</p> <blockquote> <p>Top image by <a href="https://www.rawpixel.com" rel="noopener noreferrer">rawpixel</a></p> </blockquote> rails ubuntu nginx devops