DEV Community: ruwhan The latest articles on DEV Community by ruwhan (@ruwhan). https://dev.to/ruwhan https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F37225%2F834c8efb-4ad9-4f14-a0bc-91cd8e48ad43.jpeg DEV Community: ruwhan https://dev.to/ruwhan en [Part 2] Rails 8 Authentication but with JWT ruwhan Sat, 18 Jan 2025 15:16:44 +0000 https://dev.to/ruwhan/part-2-rails-8-authentication-but-with-jwt-2fd8 https://dev.to/ruwhan/part-2-rails-8-authentication-but-with-jwt-2fd8 <h2> Overview </h2> <p>In the previous part, we've already covered how to setup, and encode our user object. There are still some parts missing, how do we decode and send the token, and how it will affect our API endpoints to be faster and more efficient.</p> <p>The functions already there, in <code>app/controllers/concern/Authentication.rb</code>, we already have, <code>decode</code>, <code>current_user</code>, get_token, we gonna use them here.</p> <h2> Authenticating the Requests </h2> <p>We will need to create a new endpoint, for the first case, let's create a <code>GET /users/me</code> API endpoint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rails g controller v1/UsersController </code></pre> </div> <p>It will create a ruby file, <code>app/controllers/v1/users_controller.rb</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">module</span> <span class="nn">V1</span> <span class="k">class</span> <span class="nc">UsersController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span> <span class="k">def</span> <span class="nf">me</span> <span class="k">if</span> <span class="n">current_user</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">user: </span><span class="n">current_user</span> <span class="p">},</span> <span class="ss">status: :ok</span> <span class="k">else</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">error: </span><span class="s2">"Invalid token"</span> <span class="p">},</span> <span class="ss">status: :unauthorized</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <h3> Update the Routes Config </h3> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code> <span class="n">namespace</span> <span class="ss">:v1</span> <span class="k">do</span> <span class="n">resources</span> <span class="ss">:auth</span><span class="p">,</span> <span class="ss">only: </span><span class="p">[</span><span class="ss">:create</span><span class="p">]</span> <span class="n">resources</span> <span class="ss">:users</span><span class="p">,</span> <span class="ss">only: </span><span class="p">[]</span> <span class="k">do</span> <span class="n">collection</span> <span class="k">do</span> <span class="n">get</span> <span class="ss">:me</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>To recall, in <a href="https://dev.to/ruwhan/part-1-rails-8-authentication-but-with-jwt-2if6">the 1st part</a>, we already create the <code>current_user</code> function in Authentication module, basically they just decode the token from the <code>Authorization</code> header, and will throw unauthenticated http error when token is not present or invalid.</p> <h3> Testing </h3> <p>Like we do in the first part of this article,<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="s2">"http://localhost:5000/v1/auth"</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s2">"{</span><span class="se">\"</span><span class="s2">email_address</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">two@example.com</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">password</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">password</span><span class="se">\"</span><span class="s2">} </span></code></pre> </div> <p>If everything going right, we should get the token in the response body:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"token"</span><span class="p">:</span><span class="s2">"&lt;AUTH_TOKEN&gt;"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Get the current user object </h3> <p>Now, let's shoot the <code>GET /users/me</code> API endpoint, e.g, using curl:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="s2">"http://localhost:5000/v1/users/me"</span> <span class="nt">-H</span> <span class="s2">"Authorization: bearer &lt;AUTH_TOKEN&gt;"</span> </code></pre> </div> <p>Since we are logged in using <a href="mailto:two@example.com">two@example.com</a> user email address, we should expect that from the response body:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"user"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">298486374</span><span class="p">,</span><span class="w"> </span><span class="nl">"email_address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"two@example.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Of course, the user <code>id</code> can be different.</p> <h2> Source Code </h2> <p>The code available in the GitHub repository: <a href="https://github.com/ruwhan/rails_jwt" rel="noopener noreferrer">https://github.com/ruwhan/rails_jwt</a>, I also add a simple case how to use current authenticated user related with other models.</p> <h2> Conclusion </h2> <p>In this 2nd part of the article, we learn how JWT can eliminate database access to check authenticated user, while using some library that has token based authentication, we check database each time we want to get the current logged in user.</p> rails jwt authentication [Part 1] Rails 8 Authentication but with JWT ruwhan Fri, 10 Jan 2025 01:06:14 +0000 https://dev.to/ruwhan/part-1-rails-8-authentication-but-with-jwt-2if6 https://dev.to/ruwhan/part-1-rails-8-authentication-but-with-jwt-2if6 <p>Rails 8 includes its own authentication generator. However, for API-only or RESTful APIs, this authentication scheme is not compatible because APIs are expected to be stateless.</p> <p>As a result, many developers prefer to modify the default setup to make it stateless and integrate JWT for authentication. One of the key advantages of JWT is its efficiency—it eliminates the need to access the database on each request to authenticate users.</p> <h2> Setting Up the Project </h2> <p>After creating an API-only Rails project with the command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rails new rails_jwt <span class="nt">--api</span> </code></pre> </div> <p>navigate to the project root directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>rails_jwt </code></pre> </div> <ul> <li>Add Procfile, <code>touch Procfile</code> (optional). </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>web: bin/rails server -p $PORT </code></pre> </div> <ul> <li>Create the required gems, <code>bundle add bcrypt ruby-jwt</code>.</li> <li>Create the database, <code>bin/rails db:create</code> </li> </ul> <h2> Building The App </h2> <h3> Adding The Model </h3> <p>Adding the model, in this case User model, <code>bin/rails g model User</code>.</p> <p>The migration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">CreateUsers</span> <span class="o">&lt;</span> <span class="no">ActiveRecord</span><span class="o">::</span><span class="no">Migration</span><span class="p">[</span><span class="mf">8.0</span><span class="p">]</span> <span class="k">def</span> <span class="nf">change</span> <span class="n">create_table</span> <span class="ss">:users</span> <span class="k">do</span> <span class="o">|</span><span class="n">t</span><span class="o">|</span> <span class="n">t</span><span class="p">.</span><span class="nf">string</span> <span class="ss">:email_address</span><span class="p">,</span> <span class="ss">null: </span><span class="kp">false</span> <span class="n">t</span><span class="p">.</span><span class="nf">string</span> <span class="ss">:password_digest</span><span class="p">,</span> <span class="ss">null: </span><span class="kp">false</span> <span class="n">t</span><span class="p">.</span><span class="nf">timestamps</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>The model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">User</span> <span class="o">&lt;</span> <span class="no">ApplicationRecord</span> <span class="n">has_secure_password</span> <span class="n">validates</span> <span class="ss">:email_address</span><span class="p">,</span> <span class="ss">presence: </span><span class="kp">true</span><span class="p">,</span> <span class="ss">uniqueness: </span><span class="kp">true</span> <span class="n">normalizes</span> <span class="ss">:email_address</span><span class="p">,</span> <span class="ss">with: </span><span class="o">-&gt;</span> <span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="p">{</span> <span class="n">e</span><span class="p">.</span><span class="nf">strip</span><span class="p">.</span><span class="nf">downcase</span> <span class="p">}</span> <span class="k">end</span> </code></pre> </div> <p>Migrate, <code>bin/rails db:migrate</code>. It will create the users table.</p> <p>Then, seed the db with <code>db:fixtures:load</code>. Generating <code>User</code> model will magically create the fixtures with default predefined user, we can use them to seed our <code>users</code> table for this article testing purpose. </p> <p>Please note that, it is recommended to use <code>bin/rails db:seed</code> to seed.</p> <h3> Adding the Authentication Module </h3> <p><code>app/controllers/concern/Authentication.rb</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">module</span> <span class="nn">Authentication</span> <span class="kp">extend</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">Concern</span> <span class="n">included</span> <span class="k">do</span> <span class="n">before_action</span> <span class="ss">:authenticate</span> <span class="k">end</span> <span class="n">class_methods</span> <span class="k">do</span> <span class="k">def</span> <span class="nf">allow_unauthenticated_access</span><span class="p">(</span><span class="o">**</span><span class="n">options</span><span class="p">)</span> <span class="n">skip_before_action</span> <span class="ss">:authenticate</span><span class="p">,</span> <span class="n">options</span> <span class="k">end</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">encode</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">now</span> <span class="o">=</span> <span class="no">Time</span><span class="p">.</span><span class="nf">now</span><span class="p">.</span><span class="nf">to_i</span> <span class="no">JWT</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span> <span class="p">{</span> <span class="ss">data: </span><span class="p">{</span> <span class="ss">id: </span><span class="n">payload</span><span class="p">.</span><span class="nf">id</span><span class="p">,</span> <span class="ss">email_address: </span><span class="n">payload</span><span class="p">.</span><span class="nf">email_address</span> <span class="p">},</span> <span class="ss">exp: </span><span class="n">now</span> <span class="o">+</span> <span class="mi">3</span><span class="p">.</span><span class="nf">minutes</span><span class="p">.</span><span class="nf">to_i</span><span class="p">,</span> <span class="ss">iat: </span><span class="n">now</span><span class="p">,</span> <span class="ss">iss: </span><span class="s2">"rails_jwt_api"</span><span class="p">,</span> <span class="ss">aud: </span><span class="s2">"rails_jwt_client"</span><span class="p">,</span> <span class="ss">sub: </span><span class="s2">"User"</span><span class="p">,</span> <span class="ss">jti: </span><span class="no">SecureRandom</span><span class="p">.</span><span class="nf">uuid</span><span class="p">,</span> <span class="ss">nbf: </span><span class="n">now</span> <span class="o">+</span> <span class="mi">1</span><span class="p">.</span><span class="nf">second</span><span class="p">.</span><span class="nf">to_i</span><span class="p">,</span> <span class="p">},</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">credentials</span><span class="p">.</span><span class="nf">jwt_secret</span><span class="p">,</span> <span class="s2">"HS256"</span><span class="p">,</span> <span class="p">{</span> <span class="ss">typ: </span><span class="s2">"JWT"</span><span class="p">,</span> <span class="ss">alg: </span><span class="s2">"HS256"</span> <span class="p">})</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">decode</span> <span class="n">token</span> <span class="o">=</span> <span class="n">get_token</span> <span class="no">JWT</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">credentials</span><span class="p">.</span><span class="nf">jwt_secret</span><span class="p">,</span> <span class="s1">'HS256'</span><span class="p">)</span> <span class="k">end</span> <span class="kp">private</span> <span class="k">def</span> <span class="nf">get_token</span> <span class="n">request</span><span class="p">.</span><span class="nf">headers</span><span class="p">[</span><span class="s2">"Authorization"</span><span class="p">].</span><span class="nf">split</span><span class="p">(</span><span class="s2">" "</span><span class="p">).</span><span class="nf">last</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">current_user</span> <span class="n">decoded</span> <span class="o">=</span> <span class="n">decode</span> <span class="n">decoded</span><span class="p">.</span><span class="nf">first</span><span class="p">[</span><span class="s2">"data"</span><span class="p">].</span><span class="nf">with_indifferent_access</span> <span class="k">end</span> <span class="k">def</span> <span class="nf">authenticate</span> <span class="k">begin</span> <span class="k">if</span> <span class="n">current_user</span> <span class="n">current_user</span> <span class="k">else</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">error: </span><span class="s2">"Unauthorized"</span> <span class="p">},</span> <span class="ss">status: :unauthorized</span> <span class="k">end</span> <span class="k">rescue</span> <span class="no">JWT</span><span class="o">::</span><span class="no">ExpiredSignature</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">error: </span><span class="s2">"Token has expired"</span> <span class="p">},</span> <span class="ss">status: :unauthorized</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>Here, the authenticate function will handle error thrown when the token is already expired, and respond with 401.</p> <p>Next, let's add jwt_secret into our app credentials, since it is required to encode and decode the JWT. Without it, the JWT.encode and JWT.decode will throw an error.</p> <h3> Adding the JWT Secret </h3> <p>in the console, run <code>EDITOR=vim bin/rails credentials:edit</code>, and add the jwt_secret, e.g,<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.</span> secret_key_base: 32b1ae8aa8953eba641519aba932dc5edf03fe1c9d5b12ca379d7eabe69fde9f4da02717159f2d69ea2ad47eb467edadb40c45160822a2bfe5d55a3ace8fd096 jwt_secret: jwt_secret_jwt_secret </code></pre> </div> <h3> Make the Authentication Available </h3> <p>Add them into ApplicationController,<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">ApplicationController</span> <span class="o">&lt;</span> <span class="no">ActionController</span><span class="o">::</span><span class="no">API</span> <span class="kp">include</span> <span class="no">Authentication</span> <span class="k">end</span> </code></pre> </div> <h3> The API Endpoint </h3> <p>Let's create the AuthController, bin/rails g controller V1/Auth,<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">module</span> <span class="nn">V1</span> <span class="k">class</span> <span class="nc">AuthController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span> <span class="n">allow_unauthenticated_access</span> <span class="ss">only: </span><span class="p">[</span><span class="ss">:create</span><span class="p">]</span> <span class="k">def</span> <span class="nf">create</span> <span class="vi">@current_user</span> <span class="o">=</span> <span class="no">User</span><span class="p">.</span><span class="nf">find_by</span><span class="p">(</span><span class="ss">email_address: </span><span class="n">params</span><span class="p">[</span><span class="ss">:email_address</span><span class="p">])</span> <span class="k">if</span> <span class="vi">@current_user</span> <span class="o">&amp;&amp;</span> <span class="vi">@current_user</span><span class="p">.</span><span class="nf">authenticate</span><span class="p">(</span><span class="n">params</span><span class="p">[</span><span class="ss">:password</span><span class="p">])</span> <span class="n">encoded_token</span> <span class="o">=</span> <span class="n">encode</span><span class="p">(</span><span class="vi">@current_user</span><span class="p">)</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">token: </span><span class="n">encoded_token</span> <span class="p">},</span> <span class="ss">status: :ok</span> <span class="k">else</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">error: </span><span class="s2">"Invalid email or password"</span> <span class="p">},</span> <span class="ss">status: :unauthorized</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>Now, let's add the route in app/config/routes.rb, so that we will have <code>POST /v1/auth</code> endpoint.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="no">Rails</span><span class="p">.</span><span class="nf">application</span><span class="p">.</span><span class="nf">routes</span><span class="p">.</span><span class="nf">draw</span> <span class="k">do</span> <span class="c1"># Define your application routes per the DSL in https://guides.rubyonrails.org/routing.html</span> <span class="n">namespace</span> <span class="ss">:v1</span> <span class="k">do</span> <span class="n">resources</span> <span class="ss">:auth</span><span class="p">,</span> <span class="ss">only: </span><span class="p">[</span><span class="ss">:create</span><span class="p">]</span> <span class="k">end</span> <span class="n">get</span> <span class="s2">"up"</span> <span class="o">=&gt;</span> <span class="s2">"rails/health#show"</span><span class="p">,</span> <span class="ss">as: :rails_health_check</span> <span class="c1"># Defines the root path route ("/")</span> <span class="c1"># root "posts#index"</span> <span class="k">end</span> </code></pre> </div> <p>We can test them by:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="s2">"http://localhost:5000/v1/auth"</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">-d</span> <span class="s2">"{</span><span class="se">\"</span><span class="s2">email_address</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">two@example.com</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">password</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">password</span><span class="se">\"</span><span class="s2">}"</span> </code></pre> </div> <p>we should get the token in the response body:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">{</span><span class="s2">"token"</span>:<span class="s2">"&lt;AUTH_TOKEN&gt;"</span><span class="o">}</span> </code></pre> </div> <h2> Conclusion </h2> <p>In this first part, we explored how to implement JWT authentication in a Rails application. However, some functions, such as decode and current_user from the Authentication module, have not yet been fully covered. We will address these and other features in the next part.</p> <p>EDIT: Part 2 available at <a href="https://dev.to/ruwhan/part-2-rails-8-authentication-but-with-jwt-2fd8">https://dev.to/ruwhan/part-2-rails-8-authentication-but-with-jwt-2fd8</a></p> rails jwt authentication jwt ruwhan Tue, 31 Dec 2024 13:44:18 +0000 https://dev.to/ruwhan/jwt-4mf7 https://dev.to/ruwhan/jwt-4mf7 api