DEV Community

loading...

API Guard - JWT authentication solution for Rails APIs

gokul595 profile image Gokul Murali ・1 min read

Excited to announce new gem for Rails API authentication using JWT which also comes with token refreshing and blacklisting.

https://github.com/Gokul595/api_guard

Feedbacks and contributions are welcome :)

Discussion

pic
Editor guide
Collapse
borasumer profile image
Bora Sumer

Hi Gokul, I have an issue with your gem. With the Authenticating API requests part, where you say, To authenticate the API request just add this before_action in the controller:, What controller is that exactly ? I assume it is authentication controller. I tried to add it each controller one by one to test it our, but when I send the token with Bearer on the header, I get "Invalid login credentials" error when I try to sign in with the token. Should I create a current_user method or something ? I don't know what I am missing actually. Thank you so much.

Collapse
gokul595 profile image
Gokul Murali Author

Hi Bora,

You need to add before_action in the controllers where you need to allow only authenticated users to access. For example, if you have PostsController and if you need to allow only logged in user to access the resources you need to add the authentication before action in that controller. If the request contains valid access token in the header you can access the current user using the current_user method or @current_user variable.

Authentication controller is responsible for sign in (with email & password by default) and sign out where it will respond with the Access token after successful sign in and you need to use it in the requests wherever you have authentication enabled.

And, you get "Invalid login credentials" when you try the Sign in API with invalid email/password.

Basically here is the flow,

Get the access token from the sign in API and use it in the API requests wherever you added authentication. And, to add authentication for any of your controller just add the before_action: authenticate_and_set_user in that controller.

Hope this will clarify your doubts. Feel free to reach out to me if you need further clarifications.

Happy to help :-)

Collapse
borasumer profile image
Bora Sumer

Thank you for quick reply Gokul. I am a little bit confused with this authentication stuff to be honest. What I am trying to achieve is that I want to keep users logged in on the application even after they refresh so they would not have to submit their credentials every time they open the application. I am working on a React-Native mobile app. So basically I assume I need to store the JWT in the localStorage and use it every time I send a request to the server to reach the protected controllers/data. But what about user info(username, email, name ,last_name), I want to display those info on the page after the app is refreshed too, do I store them in the localStorage too when I sign in once?
Sorry for beginner questions.
Thanks a lot man.

Thread Thread
gokul595 profile image
Gokul Murali Author

Hi Bora, You are right. You can store the JWT in the local storage and pass it in the request header every time in the API.

For displaying current user profile you can create an API (Ex: /profile) and just add the before_action: authenticate_and_set_user and you will have the current logged in user object in the @current_user instance variable which you can send in the response and use it in the Front end. You can call this API request whenever your web app loads in the browser and show those details.

Let me know if this clarifies.

Thread Thread
borasumer profile image
Bora Sumer

Yeah, I have handled it that way, the only thing it is missing is the forgot password functionality. I think I can just update the password field of the user by sending a a request to the controller with the token. That should do it securely I assume. Thank you for your help again Gokul. Really appreciated.

Collapse
kcsujeet profile image
kcsujeet

Hi Gokul, I had been searching for a nice library to implement JWT authentication in my api when I came across your gem. It looks very promising to be honest. And the documentation is also quite impressive. However, while following the documentation, when I tried to sign_up(register a user) I got "typeerror (no implicit conversion of nil into string)" error.
Can you help me out with this? I really want to avoid build a JWT authentication system from scratch and I think your gem is just the thing that I want. Any kind of response would be appreciated.
And for future improvements, is it possible to include "Httponly cookie" to store the token for remembering the users? That would be a nice touch IMO.
Thanks for the Gem Gokul. Keep up the good work.

Collapse
gokul595 profile image
Gokul Murali Author

Hi kcsujeet, Thanks for your feedback.

Can you please create an issue in API Guard repo with some logs?

It will be useful to track and debug.

Collapse
kcsujeet profile image
kcsujeet

I have created the issue. Please can you go through the details and help me out in this regard.