I needed to implement Devise and JWT using Rails (Rails 5), and I thought, how hard could this be? Boy was I naive... Now there is a lot of infor...
For further actions, you may consider blocking this person and/or reporting abuse
Your article will help me a lot, because I have to add JWT handling to a Rails application that already uses Devise. Thank you! Just one thing:
It is strongly discouraged to save the token in localStorage due to XSS attacks. Read more about it here or search for articles on that topic on dev.to (there are a few). A better solution is to use an
httpOnly
cookie.Glad it's helpful! It's worked for me twice so far, but if you run into any problems and have to solve around them, please add another comment about it.
Also, thanks for the suggestion - I've gone ahead and made the change in the article. I haven't had the chance to dig as much into client-side storage strategies as I'd like, so I'm really glad you called that out.
Hey!
I was implementing auth in my new project following your instructions, and I implemented the registration controller as follows :
gist.github.com/prp-e/14e886c2eb51...
as you can see, I used devise's controllers and modified them.
They seem to be working fine, and this is my request:
So, when I send the request, if it's invalid, it returns the suitable error for being invalid. But when I send valid data, it doesn't return any freaking thing.
I'd be thankful if you help me with this.
One other callout:
In real-world apps, you may need to look into more securely logging out a user.
It's on my radar to research as soon as I get the chance, and I'll post about it once I do. But as an example for the mean-time, I've briefly read about adding a database table for blacklisted tokens so that the user can't make calls with an old token without logging back in, or conversely, adding a whitelisted token column to your users table. A simpler option may be to just set the JWT to expire after a much shorter time (like 1 day or less).
hey Daniel! I was just going through this last week and went through a tutorial that really helped out. I made a git repo with a detailed README describing what I did differently from the tutorial and then beyond it how you could store tokens client side: github.com/dakotalmartinez/rails-d.... As far as localStorage goes for storing tokens, from what I've seen there's actually quite a bit of debate there. Some people say it's totally bad and should be avoided, others say that storing the token in a cookie only makes it slightly more difficult for an attacker to exploit XSS vulnerabilities. If an attacker can run JS on your domain, they can use the cookie to send requests to your API whether or not they can access it via the JS it can be included with a fetch request. Moral of the story, XSS is bad, so don't take user input and put it straight into innerHTML = without encoding/escaping it. portswigger.net/web-security/cross...
Hi Dakota, thank you for posting this link!!
Your tutorial looks great. I haven't had a chance to follow along with my own code yet, but it seems to be exactly what I needed about 8 months ago when I was trying to implement Devise-JWT 😆
A lot of the content looks very familiar, so it will be interesting to dig in and see where I went wrong. Could even be due to Rails version (I'm still on 5)...maybe it's time for me to finally update.
Hey Daniel, this is great--thanks for posting this resource!
One quick q about your full code at the bottom: in SessionsController.rb and RegistrationsController.rb, "generate_jwt" should be called from the "user" object, not "current_user", correct?
I've been using the one you had earlier in your article and that works for me:
token = user.generate_jwt
Let me know if I misread something--I'm still new to Ruby / Rails. Thanks again!
Hi tiQu. You are correct, great catch! I've fixed it in the article now. Thanks for calling it out.
Hi Daniel, I can not access to current_user in create controllers method.
When I post from the frontend, tells me ActiveRecord::RecordNotFound (Couldn't find User without an ID).
Any ideas to solve it?
I have the same problem. How did you solve it? Thanks
Does this only work for api mode? My rails app serves as a web app and an api. Users need to be able to login on the website and also use it by api.
Thanks for sharing this.