The latest articles on DEV Community by Alexander Kustov (@alexanderkustov). https://dev.to/alexanderkustov https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F372773%2Ff86ebe43-2167-46e8-a338-97b703ed9b53.jpg https://dev.to/alexanderkustov en Alexander Kustov Mon, 13 Feb 2023 07:40:28 +0000 https://dev.to/alexanderkustov/create-a-rails-7-api-with-jwt-in-2023-h7j https://dev.to/alexanderkustov/create-a-rails-7-api-with-jwt-in-2023-h7j <p>Make sure you're running the latest stable Rails, Rails 7.0.4.2</p> <ul> <li>Create a new Rails app with the --api option to generate an API-only Rails app:</li> </ul> <p><code>rails new my_rails_jwt_api --api</code></p> <ul> <li>Add the jwt gem to your Gemfile and run bundle install to install it:</li> </ul> <p><code>gem 'jwt'</code></p> <ul> <li>Uncomment the bcrypt gem in your Gemfile and run bundle install to install it:</li> </ul> <p><code>gem "bcrypt", "~&gt; 3.1.7"</code></p> <ul> <li>Generate a User model with the necessary attributes for authentication (e.g. email and password_digest):</li> </ul> <p><code>rails g model User email password_digest</code></p> <ul> <li>Add has_secure_password to your User model to encrypt the password: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">User</span> <span class="o">&lt;</span> <span class="no">ApplicationRecord</span> <span class="n">has_secure_password</span> <span class="k">end</span> </code></pre> </div> <ul> <li>Create a SessionsController to handle user authentication:</li> </ul> <p><code>rails g controller Sessions</code></p> <ul> <li>In the SessionsController, create an action that accepts a user's credentials (e.g. email and password) and returns a JWT if the credentials are valid: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">SessionsController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span> <span class="n">skip_before_action</span> <span class="ss">:authenticate_request</span> <span class="k">def</span> <span class="nf">create</span> <span class="n">user</span> <span class="o">=</span> <span class="no">User</span><span class="p">.</span><span class="nf">find_by</span><span class="p">(</span><span class="ss">email: </span><span class="n">params</span><span class="p">[</span><span class="ss">:email</span><span class="p">])</span> <span class="k">if</span> <span class="n">user</span><span class="o">&amp;</span><span class="p">.</span><span class="nf">authenticate</span><span class="p">(</span><span class="n">params</span><span class="p">[</span><span class="ss">:password</span><span class="p">])</span> <span class="n">jwt</span> <span class="o">=</span> <span class="no">JWT</span><span class="p">.</span><span class="nf">encode</span><span class="p">({</span> <span class="ss">user_id: </span><span class="n">user</span><span class="p">.</span><span class="nf">id</span> <span class="p">},</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">secrets</span><span class="p">.</span><span class="nf">secret_key_base</span><span class="p">)</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">jwt: </span><span class="n">jwt</span> <span class="p">}</span> <span class="k">else</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">error: </span><span class="s1">'Invalid credentials'</span> <span class="p">},</span> <span class="ss">status: :unauthorized</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <ul> <li><p>Note that we're using Rails' secrets.secret_key_base to sign the JWT. You can generate a secret key with rails secret.</p></li> <li><p>In your ApplicationController, define a method to extract the JWT from the request headers and verify it:<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">ApplicationController</span> <span class="o">&lt;</span> <span class="no">ActionController</span><span class="o">::</span><span class="no">API</span> <span class="n">before_action</span> <span class="ss">:authenticate_request</span> <span class="k">def</span> <span class="nf">authenticate_request</span> <span class="n">header</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="nf">headers</span><span class="p">[</span><span class="s1">'Authorization'</span><span class="p">]</span> <span class="n">token</span> <span class="o">=</span> <span class="n">header</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="s1">' '</span><span class="p">).</span><span class="nf">last</span> <span class="k">if</span> <span class="n">header</span> <span class="k">begin</span> <span class="n">decoded</span> <span class="o">=</span> <span class="no">JWT</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">secrets</span><span class="p">.</span><span class="nf">secret_key_base</span><span class="p">,</span> <span class="kp">true</span><span class="p">,</span> <span class="ss">algorithm: </span><span class="s1">'HS256'</span><span class="p">)</span> <span class="vi">@current_user_id</span> <span class="o">=</span> <span class="n">decoded</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="s1">'user_id'</span><span class="p">]</span> <span class="k">rescue</span> <span class="no">JWT</span><span class="o">::</span><span class="no">DecodeError</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">error: </span><span class="s1">'Invalid token'</span> <span class="p">},</span> <span class="ss">status: :unauthorized</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <ul> <li><p>This will extract the JWT from the Authorization header and decode it using the same secret key as before. If the JWT is valid, we set @current_user_id to the user ID contained in the token.</p></li> <li><p>Finally, create an action in one of your controllers that requires authentication, and use @current_user_id to access the current user's data:<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">UsersController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span> <span class="k">def</span> <span class="nf">show</span> <span class="n">user</span> <span class="o">=</span> <span class="no">User</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="vi">@current_user_id</span><span class="p">)</span> <span class="n">render</span> <span class="ss">json: </span><span class="n">user</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>-Don't forget the routes<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">routes</span><span class="p">.</span><span class="nf">draw</span> <span class="k">do</span> <span class="n">resources</span> <span class="ss">:users</span><span class="p">,</span> <span class="ss">only: </span><span class="p">[</span><span class="ss">:show</span><span class="p">]</span> <span class="n">resources</span> <span class="ss">:sessions</span><span class="p">,</span> <span class="ss">only: </span><span class="p">[</span><span class="ss">:create</span><span class="p">]</span> <span class="k">end</span> </code></pre> </div> <ul> <li>That's it! This is just a basic example, and there are many ways to implement JWT authentication in a Rails app. But this should give you a good starting point.</li> </ul> css webdev frontend discuss