DEV Community

JckSmith
JckSmith

Posted on

So you Want to use auth?

So you are working on a new project, and a friend recommended that you should add auth! You have no idea what your friend is talking about, what is auth, and why should you use it?

Lets start off with the basics, What is auth?, well, authentication or auth for short, allows you to manage what info gets passed to specific users. For example, if you were creating a program to send messages to other people, you would want auth on it!

Why would I want to add authentication to my program? Auth would allow you to make sure only certain people have access to info that only that person should have. If you were managing a forum, you would want to give yourself certain powers, like deleting messages or removing certain users, but you don't want to give everyone that sort of power!

How do I add authentication? Authentication can be a tricky process, and that is why many people use programs such as Devise, Ommniauth, Doorkeeper, Authlogic, and clearance to name a few.

While you can use these as your authentication, they may not be exactly what you are looking for, and in that case you might need to make your own from scratch!

I will not go fully in detail about how to make your own Authentication from scratch, although a really useful blog that does do that can be found here. I will be going over the logic behind it.

Image description

The model above is going over one of the approaches you can take with authentication, which is using Rails Session Cookies, lets go through the steps!

  1. The web app takes the username and password from a form and sends a POST request with the credentials to an API "login" endpoint. The request would look something like this:
POST /session
Host: api.your-app.com
Content-Type: application/json

{
  "username": "jack",
  "password": "mypassword"
}
Enter fullscreen mode Exit fullscreen mode
  1. The API attempts to authenticate the user given the credentials, if it is successful, the API stashes the user's ID in the session.
session[:user_id] = user.id
Enter fullscreen mode Exit fullscreen mode

The simple assignment sets a cookie in the response, and in this case the cookie contains the user's unique ID.

  1. The session cookie is returned to the browser.

  2. The browser then stores the cookie until it expires, and every time the app sends a request to the API, the browser automatically sends the session cookie as well. Here would be the request for a protected resource my-info

GET /my-info
Host: api.your-app.com
Cookie: _session_id=kTNmUk23l0xxXyDB7rPCcEl6yVet1ahaofUJLd6DxS1XrhbPvU4gF%2B%2Bm... (This goes on for a while)
Enter fullscreen mode Exit fullscreen mode
  1. The API then checks the user's ID in the session cookie to identify the user making the request for my-info, ensuring that only the user authorized is able to access the resource.

  2. If the user is authorized, the response for the request is sent back to the web app, otherwise, the API would send a 401 - Unauthorized response back.

In summary, authentication allows you to control who has access to certain information and resources, which is a must in many programs and applications. You can use certain tools to make your authentication a bit easier to make, but it is normally better to make it from scratch so you can customize it to fit exactly what you need!

Links to other helpful blogs: Rails authentication from scratch - Steve Polito, and Using Rails Session Cookies for API Authentication - Mike Clark

Top comments (0)