p.3 My attempt at building the backend of a password manager
DaNeil C
Posted on December 13, 2019
Set up the Ruby on Rails Backend API part 2. JWT
The first part of this turned out to be a lot longer than I was anticipating and I thought it was time for a part 2 of setting up the backend for my password manager. That being said, I still have to set up the JWT for the backend and finish the write up for the frontend soo stay tuned for that.
To continue where I left one... Before proceeding make sure that your seed data is correct. It caught mine off guard and I had to play with it to get my serializers to show it properly.
-
Now that the seed is up and gooood we need to lift the functionality of encoding/decoding tokens to the top level "ApplicationController".
- You will need to put a secret key with the encoding and decoding. Where I have "ENV['HASH_KEY'] is where the key will go BUT it is better for you to do it in this way. This is the secure way to do it so that anyone looking at your code will not be able to decode the information.
- Note: Use best practices for keeping keys secure by making them more difficult than password. Keep them safe and ensure that your env file is left out of your github repository!!
Now go to the frontend and set up the Bearer token for then the API fetches. This will be whenever an account is being created, deleted, logged into, or viewed.
-
Annnd back to the backend to make sure that the current_user had proper decoding for the token for that user_id in the Application_controller file.
- Also, don't forget to make sure that there is a "logged_in?" definition. It will get used later.
-
Now it's time lock down our application to prevent unauthorized access so that users need to login to see their information and random people can't see it without a valid token.
- For my project, at the top of my "application_contoroller" file I needed to add a "before_action :authorized".
- Also go to the Users controller and add
skip_before_action :authorized, only: [:create]
andbefore_action :set_params, only: [:edit, :update]
This will ensure that the user can be created before authorization and if there are parameters that they will be set. - Note:: You might need to set the same "skip_before_action" and "before_action" that the users controller has with other controllers. I had to set it on my logins_controller also.
-
Time to set up the auth controller! This can be done by running
rails g controller api/v1/auth
and here we will need to add a "skip_before_action :authorized, only: [:create]" as well as setting up the create action for it.- This is where it got a bit confusing to me so let me explain...
@user = User.find_by(username: params[:username]) if @user && @user.authenticate(params[:password]) end
Because I did it like this if @user is nil, which is falsey, ruby will not even attempt to call @user.authenticate. Without this catch, we'd get a NoMethodError (undefined method 'authenticate' for nil:NilClass). This is also where it is going to authenticate the users password.
- This is where it got a bit confusing to me so let me explain...
One final note about the ApplicationController. The ApplicationController calls authorized before any other controller methods are called. If authorization fails, our server will never call UsersController#profile and will instead throw an error message.
If things don't quite work comment out the "skip_before" actions and the "before_action" in the controllers to test the front end faster.
NOTE:: This worked for MY setup. This wont work so easily for everyone. I only had 3 tables and they were an easy relationship as each one belonged to the previous and there were no back and forth "has_many/blongs_to" relationship.s
References
- https://guides.rubyonrails.org/v2.3/getting_started.html
- https://www.codecademy.com/articles/what-is-cors
- https://stackoverflow.com/questions/1992019/how-can-i-rename-a-database-column-in-a-ruby-on-rails-migration
- https://github.com/cyu/rack-cors
- https://jwt.io/introduction/
Please Note that I am still learning. If something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.
Posted on December 13, 2019
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.