The latest articles on DEV Community by Sebastian Sogamoso (@sogamoso). https://dev.to/sogamoso https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F55210%2Fcd476964-0d2d-46a8-8518-caa53d32e1de.jpg https://dev.to/sogamoso en Sebastian Sogamoso Tue, 19 May 2020 22:56:56 +0000 https://dev.to/sogamoso/rails-signed-ids-for-active-record-5b7o https://dev.to/sogamoso/rails-signed-ids-for-active-record-5b7o <p>Starting with version 6.1, <code>ActiveRecord</code> will support looking for records using signed IDs. This feature can be handy when doing things like resetting passwords, sending invitations, or doing email verification.</p> <p>Signed IDs have three characteristics:</p> <ul> <li>They are tamper-proof</li> <li>They can be set to expire</li> <li>They can be scoped to a particular purpose</li> </ul> <h3> How is this different from GlobalId? </h3> <p>The above seems oddly similar to <a href="https://github.com/rails/globalid#signed-global-ids">Signed Global IDs</a>, so you may be wondering, why was this feature introduced?</p> <p>The main difference is that <code>ActiveRecord</code> signed IDs can only be used when referring to a single concrete class, conversely <code>GlobalId</code> can be used when the passed ID might respond to any number of classes.</p> <h3> How can I use signed IDs? </h3> <p>When Rails 6.1 is released all <code>ActiveRecord</code> instances will respond to:</p> <ul> <li> <code>signed_id</code> to generate the token</li> <li> <code>find_signed</code> to find a record using the token</li> <li> <code>find_signed!</code> same as the above but instead of returning <code>nil</code> when the record is not found an error will be raised</li> </ul> <p>Here's a simple example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">signed_user_id</span> <span class="o">=</span> <span class="no">User</span><span class="p">.</span><span class="nf">first</span><span class="p">.</span><span class="nf">signed_id</span> <span class="no">User</span><span class="p">.</span><span class="nf">find_signed</span><span class="p">(</span><span class="n">signed_user_id</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="no">User</span><span class="p">.</span><span class="nf">first</span> </code></pre> </div> <p>If you want to set a purpose and expiration to the token you can pass them as arguments to <code>signed_id</code>, like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">signed_user_id</span> <span class="o">=</span> <span class="no">User</span><span class="p">.</span><span class="nf">first</span><span class="p">.</span><span class="nf">signed_id</span><span class="p">(</span><span class="ss">purpose: :email_confirmation</span><span class="p">,</span> <span class="ss">expires_in: </span><span class="mi">30</span><span class="p">.</span><span class="nf">minutes</span><span class="p">.</span><span class="nf">from_now</span><span class="p">)</span> <span class="no">User</span><span class="p">.</span><span class="nf">find_signed</span><span class="p">(</span><span class="n">signed_user_id</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="kp">nil</span> <span class="no">User</span><span class="p">.</span><span class="nf">find_signed</span><span class="p">(</span><span class="n">signed_user_id</span><span class="p">,</span> <span class="ss">purpose: :other</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="kp">nil</span> <span class="no">User</span><span class="p">.</span><span class="nf">find_signed</span><span class="p">(</span><span class="n">signed_user_id</span><span class="p">,</span> <span class="ss">purpose: </span><span class="p">:</span> <span class="n">email_confirmation</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="no">User</span><span class="p">.</span><span class="nf">first</span> </code></pre> </div> <p>If you don't want the query to silently fail, you can use the bang-method alternative:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="no">User</span><span class="p">.</span><span class="nf">find_signed!</span><span class="p">(</span><span class="s2">"invalid_token"</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">MessageVerifier</span><span class="o">::</span><span class="no">InvalidSignature</span> </code></pre> </div> <p>Rails will automatically generate a <code>signed_id_verifier_secret</code> to be used when encoding and decoding the tokens. You can also provide your own in an initializer.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># config/initializers/active_record.rb</span> <span class="no">ActiveRecord</span><span class="o">::</span><span class="no">Base</span><span class="p">.</span><span class="nf">signed_id_verifier_secret</span> <span class="o">=</span> <span class="s2">"custom_verfifier_secret"</span> </code></pre> </div> <p>If you are interested in learning how this was implemented, take a look at the <a href="https://github.com/rails/rails/pull/39313/files">pull request</a> where this feature was introduced.</p> rails activerecord