Hooray we've made it to part 3 in a 3 part series on basic authentication in Ruby on Rails! Checkout Part 1 and Part 2 if you haven't already. For part 3 the goal will be to verify and protect resources with tokens.
In the previous posts we've created a Ruby on Rails API for a clothing store that has
users. Now we're going to make it so only logged in
users can create
items. Let's generate this new resource
In your terminal:
rails g controller items
rails g model item
Now we setup the route and the migration,
items will have a name and a price.
Now we'll setup a basic
ItemsController where anyone can create an
item and index all of the
In your terminal run
rails db:migrate and start your server
rails s so we can test this in Postman. A
get request to
localhost:3000/items should show an empty list of
items. So let's make sure we can create an
item with a
Now let's make it so only a logged in
user with a valid token can create an
item. Let's update the
create method in the
ItemsController. When making HTTP requests the token is stored in the
Authorization header so we will want access to that. If the authorization header is absent from the request we can end the conversation right there and present an error. Else, we'll want to split the token from the authorization header at " " since the header includes "Bearer " prior to the token itself. Now we want to DECODE the token (that we encoded in the
AuthorizationController) so we can use it.
Let's try to add a shirt with no token present
Now let's try it with my token, the token can be obtained by making a
post request to the
login route with a valid username and password. Enter your token under the "Authorization" header and make sure to select "Bearer Token"
And lastly let's tamper with this token and make sure it only works with a valid token. I've added some "xxxxx" to the end of my token and will try to add a sweater to our items list.
Alright fam we've made it! The
item resource has been successfully protected! Thanks again for reading and as always please let me know if you have any questions, comments, suggestions, etc. because as a developer I'm always learning so there's always more to know!