Coding Tutorials Blog

Ruby on Rails API with JWT Auth Tutorial

August 18, 2020

Certain parts of this tutorial were adapted from this tutorial, https://medium.com/better-programming/build-a-rails-api-with-jwt-61fb8a52d833

Our Mission

Our goal is to make an API where users can login and creates notes under their account. I’m assuming some basic knowledge of Ruby on Rails and that you have it installed. If this is not the case just do this basic hello world tutorial to get a basic introduction before this tutorial.

https://iridakos.com/programming/2013/11/24/saying-hello-world-with-ruby-on-rails

Starting Up Our Project

rails new notesapi --database=postgresql --api

So this will create a new project in a notesapi folder. The --database=postgresql flag will make our database.yml and gemfile setup for postgres and the --api flag will build a minimal build for building api so we don’t have all the bulk neccessary for rendering views.

Configuring your dependencies

Make sure to add the following to your Gemfile

gem 'bcrypt', '~> 3.1.7'
gem 'rack-cors'
gem 'jwt'

Then after making these adjustments in terminal run the command bundle install which will read the Gemfile and install any as of yet uninstalled dependencies. Now what do these libraries do?

bcrypt: Encrypts strings, will be used to encrypt new user passwords and verify where passwords at login match the encrypted password in our database.

rack-cors: This will allow us to manage Cross Origin Resource Sharing (CORS) and determine which URLs are allowed to make requests to our server

JWT: Json Web Tokens (JWT) are often issued when a user successfully logs in containing encrypted information such as username. Our API will look for JWT tokens in request headers to know the request is authorized to access certain data. (So I login get a token, I send the token when I request my notes and this tells the API which user I am and that I’m properly logged in)

CORS

Head into config/initializers/cors.rb and enter the following. The ”*” basically allows all sources to make requests to our server which we can change after we deploy and know what our front-end applications URL will be.

Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins '*'

    resource '*',
      headers: :any,
      methods: [:get, :post, :put, :patch, :delete, :options, :head]
  end
end

Setting up Auth Routes

Head over to config/routes.rb and include the following

Rails.application.routes.draw do
  resource :users, only: [:create]
  post "/login", to: "users#login"
  get "/auto_login", to: "users#auto_login"
end

So we only want the create the resources route for users which will be used to create new users. The ‘/login’ route will be used for logging in and ‘auto_login’ will allow you to verify you are logged in using your JWT.

Creating the User Model

rails g model User username:string password_digest:string age:integer

Notice the password field is called ‘password_digest’, this is a convention that the Bcrypt library is looking for to know that it will be responsible for digesting the password and encrypting it.

Securing our User Model

Head into app/models/user.rb and add the following macro which will notify bCrypt to do its thing.

class User < ApplicationRecord
    has_secure_password
end

The User Controller

Run the following command to create a User controller…

rails g controller Users

This will create a new controller file at app/controllers/, let’s open it up and begin building some controller functions.

Migrating the model to your database

Before this next step take a moment to go to your config/database.yml and set your postgres settings

default: &default
  adapter: postgresql
  encoding: unicode
  pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>

development:
  <<: *default
  database: database_name
  username: test
  password: test
  host: localhost
  port: 5432

test:
  <<: *default
  database: database_name

production:
  <<: *default
  url: <%= ENV['DBURI'] %>

So locally it will work off your localhost database and in production it’ll pull a connection string from your Heroku config vars (it’ll look for a variable called DBURI in this case).

After setting up the connection run the following command to generate the migration files (files that contain commands to be sent to database) and then migrate (send those commands to your database and set a marker to know which migrations it has already ran).

rails db:create && rails db:migrate

Seed some data

We will want to put some initial data in our database to test and work with so go to your db/seeds.rb file and add the following line.

user = User.create(username: "alexmerced", password: "pineapple", age: 35)

After saving the new user in the seed file run the following command to seed the database.

rails db:seed

The Application Controller

Head over and open app/controllers/application_controller.rb

Add the following code…

class ApplicationController < ActionController::API
    before_action :authorized

  def encode_token(payload)
    JWT.encode(payload, 'yourSecret')
  end

  def auth_header
    # { Authorization: 'Bearer <token>' }
    request.headers['Authorization']
  end

  def decoded_token
    if auth_header
      token = auth_header.split(' ')[1]
      # header: { 'Authorization': 'Bearer <token>' }
      begin
        JWT.decode(token, 'yourSecret', true, algorithm: 'HS256')
      rescue JWT::DecodeError
        nil
      end
    end
  end

  def logged_in_user
    if decoded_token
      user_id = decoded_token[0]['user_id']
      @user = User.find_by(id: user_id)
    end
  end

  def logged_in?
    !!logged_in_user
  end

  def authorized
    render json: { message: 'Please log in' }, status: :unauthorized unless logged_in?
  end
end

So let’s break down these methods:

encode_token this method takes in a payload (a hash of key/values you want to save in the token) and signs a token using a secret key. (in production this should an ENV variable.)

auth_header When determining is someone is logged in the frontend usually sends the token in the “Authorization” header preceded by the word bearer, this function checks to see if the header was sent.

example of a request including the appropiate header…

fetch("/", {
  method: "post",
  headers: {
    "Content-Type": "application/json",
    Authorization: `bearer ${JWT_TOKEN}`,
  },
  body: JSON.stringify(requestBody),
})

before_action :authorized : this macro tells rails to run the authorized funcion before completing any request to the API. (why, to make sure they are logged in before they use the API)

decoded_token: If the auth header is present this function parses the string for the token and verified it and pulls out the payload (the hash we stored in the token when we created it). If verification fails it will return nil.

loggedinuser if decoding the token is successful it grabs the username from the payload and searches our user in the database.

logged_in returns true if logged in

authorized: returns a message asking user to log in if unless logged_in return true

The Users Controller

Now to add some methods to the user controller, head over to app/controllers/user_controller.rb and add the following methods.

class UsersController < ApplicationController
  before_action :authorized, only: [:auto_login]

  # REGISTER
  def create
    @user = User.create(user_params)
    if @user.valid?
      token = encode_token({user_id: @user.id})
      render json: {user: @user, token: token}
    else
      render json: {error: "Invalid username or password"}
    end
  end

  # LOGGING IN
  def login
    @user = User.find_by(username: params[:username])

    if @user && @user.authenticate(params[:password])
      token = encode_token({user_id: @user.id})
      render json: {user: @user, token: token}
    else
      render json: {error: "Invalid username or password"}
    end
  end


  def auto_login
    render json: @user
  end

  private

  def user_params
    params.permit(:username, :password, :age)
  end

end

Let’s break this down.

beforeaction :authorized, only: [:autologin]: This required the authorization method from the ApplicationController to be run before only the autologin method of this controller.

create This creates a new user using the data returned from the user_params method. If the new user is validated (matches the user schema) then a JWT token is signed and returned in a json object to the client.

login Looks up the username and compares the password passed in, if all checks out, generate an JWT token and sends it over in a JSON object.

auto_login renturns the user object as JSON assuming the user has previous logged in (in which case the authenticate function will run successfully)

user_params private function that parses the needed data from the request to create a new user

Time to test our API Auth

Run your server

rails s -p 4000

make post request to /login with your username and password, copy token from response make a get request to /auto_login with your token in your headers

Making the Notes item

let’s create our notes model/controller/routes with the following command

rails g scaffold note message:string user:references

The Result

model…

class Note < ApplicationRecord
  belongs_to :user
end

It has belongs to since we specified the user field references our user model. So a notes cannot be created without associating it with a user.

In the controller file…

class NotesController < ApplicationController
  before_action :set_note, only: [:show, :update, :destroy]

  # GET /notes
  def index
    @notes = Note.all

    render json: @notes
  end

  # GET /notes/1
  def show
    render json: @note
  end

  # POST /notes
  def create
    @note = Note.new(note_params)

    if @note.save
      render json: @note, status: :created, location: @note
    else
      render json: @note.errors, status: :unprocessable_entity
    end
  end

  # PATCH/PUT /notes/1
  def update
    if @note.update(note_params)
      render json: @note
    else
      render json: @note.errors, status: :unprocessable_entity
    end
  end

  # DELETE /notes/1
  def destroy
    @note.destroy
  end

  private
    # Use callbacks to share common setup or constraints between actions.
    def set_note
      @note = Note.find(params[:id])
    end

    # Only allow a trusted parameter "white list" through.
    def note_params
      params.require(:note).permit(:message, :user_id)
    end
end

Nice to see all our crud routes initially built out for us!

Then our migration file!

class CreateNotes < ActiveRecord::Migration[6.0]
  def change
    create_table :notes do |t|
      t.string :message
      t.references :user, null: false, foreign_key: true

      t.timestamps
    end
  end
end

and last our routes

Rails.application.routes.draw do
  resources :notes
  resource :users, only: [:create]
  post "/login", to: "users#login"
  get "/auto_login", to: "users#auto_login"
end

our notes already has all the main resources routes all setup, nice!

Adding auth to notes

in the notes controllers add authorization as a before action…

before_action :authorized

modify the controllers like so…

  # GET /notes
  def index
    @notes = Note.where(user_id: @user.id)

    render json: @notes
  end

  # GET /notes/1
  def show
    render json: @note
  end

  # POST /notes
  def create
    @note = Note.new(note_params)
    @note.user_id = @user.id

    if @note.save
      render json: @note, status: :created, location: @note
    else
      render json: @note.errors, status: :unprocessable_entity
    end
  end

Notice the changes are mainly to the create and index function. The change to the index function makes sure that we are only grabbing notes of the particular user and the changes in create makes sure every user is assigned a user_id at creation.

The test the API and you’ll find you’ll need to login before you can create and view notes, congrats!


© alexmercedcoder.dev 2020