Ruby on Rails API with JWT Auth Tutorial

Certain parts of this tutorial were adapted from this tutorial, https://medium.com/better-programming/build-a-rails-api-with-jwt-61fb8a52d833

Our Mission

Our goal is to make an API where users can login and creates notes under their account. I’m assuming some basic knowledge of Ruby on Rails and that you have it installed. If this is not the case just do this basic hello world tutorial to get a basic introduction before this tutorial.

https://iridakos.com/programming/2013/11/24/saying-hello-world-with-ruby-on-rails

Starting Up Our Project

rails new notesapi --database=postgresql --api

So this will create a new project in a notesapi folder. The --database=postgresql flag will make our database.yml and gemfile setup for postgres and the --api flag will build a minimal build for building api so we don’t have all the bulk neccessary for rendering views.

Configuring your dependencies

Make sure to add the following to your Gemfile

gem 'bcrypt', '~> 3.1.7'
gem 'rack-cors'
gem 'jwt'

Then after making these adjustments in terminal run the command bundle install which will read the Gemfile and install any as of yet uninstalled dependencies. Now what do these libraries do?

bcrypt: Encrypts strings, will be used to encrypt new user passwords and verify where passwords at login match the encrypted password in our database.

rack-cors: This will allow us to manage Cross Origin Resource Sharing (CORS) and determine which URLs are allowed to make requests to our server

JWT: Json Web Tokens (JWT) are often issued when a user successfully logs in containing encrypted information such as username. Our API will look for JWT tokens in request headers to know the request is authorized to access certain data. (So I login get a token, I send the token when I request my notes and this tells the API which user I am and that I’m properly logged in)

CORS

Head into config/initializers/cors.rb and enter the following. The ”*” basically allows all sources to make requests to our server which we can change after we deploy and know what our front-end applications URL will be.

Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '*',
headers: :any,
methods: [:get, :post, :put, :patch, :delete, :options, :head]
end
end

Setting up Auth Routes

Head over to config/routes.rb and include the following

Rails.application.routes.draw do
resource :users, only: [:create]
post "/login", to: "users#login"
get "/auto_login", to: "users#auto_login"
end

So we only want the create the resources route for users which will be used to create new users. The ‘/login’ route will be used for logging in and ‘auto_login’ will allow you to verify you are logged in using your JWT.

Creating the User Model

rails g model User username:string password_digest:string age:integer

Notice the password field is called ‘password_digest’, this is a convention that the Bcrypt library is looking for to know that it will be responsible for digesting the password and encrypting it.

Securing our User Model

Head into app/models/user.rb and add the following macro which will notify bCrypt to do its thing.

class User < ApplicationRecord
has_secure_password
end

The User Controller

Run the following command to create a User controller…

rails g controller Users

This will create a new controller file at app/controllers/, let’s open it up and begin building some controller functions.

Migrating the model to your database

Before this next step take a moment to go to your config/database.yml and set your postgres settings

default: &default
adapter: postgresql
encoding: unicode
pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>
development:
<<: *default
database: database_name
username: test
password: test
host: localhost
port: 5432
test:
<<: *default
database: database_name
production:
<<: *default
url: <%= ENV['DBURI'] %>

So locally it will work off your localhost database and in production it’ll pull a connection string from your Heroku config vars (it’ll look for a variable called DBURI in this case).

After setting up the connection run the following command to generate the migration files (files that contain commands to be sent to database) and then migrate (send those commands to your database and set a marker to know which migrations it has already ran).

rails db:create && rails db:migrate

Seed some data

We will want to put some initial data in our database to test and work with so go to your db/seeds.rb file and add the following line.

user = User.create(username: "alexmerced", password: "pineapple", age: 35)

After saving the new user in the seed file run the following command to seed the database.

rails db:seed

The Application Controller

Head over and open app/controllers/application_controller.rb

Add the following code…

class ApplicationController < ActionController::API
before_action :authorized
def encode_token(payload)
JWT.encode(payload, 'yourSecret')
end
def auth_header
# { Authorization: 'Bearer <token>' }
request.headers['Authorization']
end
def decoded_token
if auth_header
token = auth_header.split(' ')[1]
# header: { 'Authorization': 'Bearer <token>' }
begin
JWT.decode(token, 'yourSecret', true, algorithm: 'HS256')
rescue JWT::DecodeError
nil
end
end
end
def logged_in_user
if decoded_token
user_id = decoded_token[0]['user_id']
@user = User.find_by(id: user_id)
end
end
def logged_in?
!!logged_in_user
end
def authorized
render json: { message: 'Please log in' }, status: :unauthorized unless logged_in?
end
end

SO LET’S BREAK DOWN THESE METHODS:

encode_token this method takes in a payload (a hash of key/values you want to save in the token) and signs a token using a secret key. (in production this should an ENV variable.)

auth_header When determining is someone is logged in the frontend usually sends the token in the “Authorization” header preceded by the word bearer, this function checks to see if the header was sent.

example of a request including the appropiate header…

fetch("/", {
method: "post",
headers: {
"Content-Type": "application/json",
Authorization: `bearer ${JWT_TOKEN}`,
},
body: JSON.stringify(requestBody),
})

before_action :authorized : this macro tells rails to run the authorized funcion before completing any request to the API. (why, to make sure they are logged in before they use the API)

decoded_token: If the auth header is present this function parses the string for the token and verified it and pulls out the payload (the hash we stored in the token when we created it). If verification fails it will return nil.

loggedinuser if decoding the token is successful it grabs the username from the payload and searches our user in the database.

logged_in returns true if logged in

authorized: returns a message asking user to log in if unless logged_in return true

The Users Controller

Now to add some methods to the user controller, head over to app/controllers/user_controller.rb and add the following methods.

class UsersController < ApplicationController
before_action :authorized, only: [:auto_login]
# REGISTER
def create
@user = User.create(user_params)
if @user.valid?
token = encode_token({user_id: @user.id})
render json: {user: @user, token: token}
else
render json: {error: "Invalid username or password"}
end
end
# LOGGING IN
def login
@user = User.find_by(username: params[:username])
if @user && @user.authenticate(params[:password])
token = encode_token({user_id: @user.id})
render json: {user: @user, token: token}
else
render json: {error: "Invalid username or password"}
end
end
def auto_login
render json: @user
end
private def user_params
params.permit(:username, :password, :age)
end
end

Let’s break this down.

beforeaction :authorized, only: [:autologin]: This required the authorization method from the ApplicationController to be run before only the autologin method of this controller.

create This creates a new user using the data returned from the user_params method. If the new user is validated (matches the user schema) then a JWT token is signed and returned in a json object to the client.

login Looks up the username and compares the password passed in, if all checks out, generate an JWT token and sends it over in a JSON object.

auto_login renturns the user object as JSON assuming the user has previous logged in (in which case the authenticate function will run successfully)

user_params private function that parses the needed data from the request to create a new user

Time to test our API Auth

Run your server

rails s -p 4000

make post request to /login with your username and password, copy token from response make a get request to /auto_login with your token in your headers

Making the Notes item

let’s create our notes model/controller/routes with the following command

rails g scaffold note message:string user:references

The Result

model…

class Note < ApplicationRecord
belongs_to :user
end

It has belongs to since we specified the user field references our user model. So a notes cannot be created without associating it with a user.

In the controller file…

class NotesController < ApplicationController
before_action :set_note, only: [:show, :update, :destroy]
# GET /notes
def index
@notes = Note.all
render json: @notes
end
# GET /notes/1
def show
render json: @note
end
# POST /notes
def create
@note = Note.new(note_params)
if @note.save
render json: @note, status: :created, location: @note
else
render json: @note.errors, status: :unprocessable_entity
end
end
# PATCH/PUT /notes/1
def update
if @note.update(note_params)
render json: @note
else
render json: @note.errors, status: :unprocessable_entity
end
end
# DELETE /notes/1
def destroy
@note.destroy
end
private
# Use callbacks to share common setup or constraints between actions.
def set_note
@note = Note.find(params[:id])
end
# Only allow a trusted parameter "white list" through.
def note_params
params.require(:note).permit(:message, :user_id)
end
end

Nice to see all our crud routes initially built out for us!

Then our migration file!

class CreateNotes < ActiveRecord::Migration[6.0]
def change
create_table :notes do |t|
t.string :message
t.references :user, null: false, foreign_key: true
t.timestamps
end
end
end

and last our routes

Rails.application.routes.draw do
resources :notes
resource :users, only: [:create]
post "/login", to: "users#login"
get "/auto_login", to: "users#auto_login"
end

our notes already has all the main resources routes all setup, nice!

Adding auth to notes

in the notes controllers add authorization as a before action…

before_action :authorized

modify the controllers like so…

# GET /notes
def index
@notes = Note.where(user_id: @user.id)
render json: @notes
end
# GET /notes/1
def show
render json: @note
end
# POST /notes
def create
@note = Note.new(note_params)
@note.user_id = @user.id
if @note.save
render json: @note, status: :created, location: @note
else
render json: @note.errors, status: :unprocessable_entity
end
end

Notice the changes are mainly to the create and index function. The change to the index function makes sure that we are only grabbing notes of the particular user and the changes in create makes sure every user is assigned a user_id at creation.

The test the API and you’ll find you’ll need to login before you can create and view notes, congrats!

Alex Merced is a Full Stack Developer, learn more about his work at AlexMercedCoder.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store