JSON Web Tokens (JWT) have become the go-to solution for stateless authentication in modern web applications, especially when building APIs. If you’re working with Ruby on Rails and want to implement JWT authentication, you’re in for a treat. Let’s dive into how you can set this up in your Rails API.

First things first, you’ll need to add the necessary gems to your Gemfile. The ‘jwt’ gem is essential for handling JWT operations, and ‘bcrypt’ is crucial for securely hashing passwords. Add these lines to your Gemfile:

gem 'jwt'
gem 'bcrypt'

Don’t forget to run bundle install after adding these gems.

Now, let’s create a simple User model to work with. Run the following command in your terminal:

rails generate model User email:string password_digest:string

This will create a User model with email and password_digest fields. The password_digest field will store the hashed version of the user’s password.

Next, we need to set up our User model to use bcrypt for password hashing. Open up app/models/user.rb and add the following line:

class User < ApplicationRecord
  has_secure_password
end

The has_secure_password method is provided by ActiveModel and adds methods to set and authenticate against a BCrypt password.

Now, let’s create a JWT service to handle token creation and decoding. Create a new file at app/services/json_web_token.rb and add the following code:

class JsonWebToken
  SECRET_KEY = Rails.application.secrets.secret_key_base.to_s

  def self.encode(payload, exp = 24.hours.from_now)
    payload[:exp] = exp.to_i
    JWT.encode(payload, SECRET_KEY)
  end

  def self.decode(token)
    decoded = JWT.decode(token, SECRET_KEY)[0]
    HashWithIndifferentAccess.new decoded
  end
end

This service provides two class methods: encode for creating JWTs and decode for verifying and decoding JWTs. The SECRET_KEY is used to sign the tokens, ensuring they can’t be tampered with.

Now, let’s create an AuthenticationController to handle user login. Run the following command:

rails generate controller Authentication

Open the newly created app/controllers/authentication_controller.rb and add the following code:

class AuthenticationController < ApplicationController
  def login
    @user = User.find_by(email: params[:email])
    if @user&.authenticate(params[:password])
      token = JsonWebToken.encode(user_id: @user.id)
      render json: { token: token }, status: :ok
    else
      render json: { error: 'unauthorized' }, status: :unauthorized
    end
  end
end

This controller action finds a user by email, authenticates the password, and if successful, creates a JWT containing the user’s ID.

We also need to create a mechanism to authenticate requests using the JWT. Let’s create an AuthorizeApiRequest service. Create a new file at app/services/authorize_api_request.rb and add the following code:

class AuthorizeApiRequest
  def initialize(headers = {})
    @headers = headers
  end

  def call
    {
      user: user
    }
  end

  private

  attr_reader :headers

  def user
    @user ||= User.find(decoded_auth_token[:user_id]) if decoded_auth_token
  rescue ActiveRecord::RecordNotFound
    nil
  end

  def decoded_auth_token
    @decoded_auth_token ||= JsonWebToken.decode(http_auth_header)
  end

  def http_auth_header
    if headers['Authorization'].present?
      return headers['Authorization'].split(' ').last
    end
    nil
  end
end

This service extracts the token from the Authorization header, decodes it, and returns the corresponding user.

Now, let’s update our ApplicationController to use this service for authenticating requests:

class ApplicationController < ActionController::API
  def authenticate_request
    @current_user = AuthorizeApiRequest.new(request.headers).call[:user]
    render json: { error: 'Not Authorized' }, status: 401 unless @current_user
  end
end

You can now use this authenticate_request method as a before_action in any controller where you want to require authentication.

Let’s create a simple API endpoint to test our JWT authentication. Create a new controller:

rails generate controller Api::V1::Posts

Open app/controllers/api/v1/posts_controller.rb and add the following code:

module Api
  module V1
    class PostsController < ApplicationController
      before_action :authenticate_request

      def index
        posts = Post.all
        render json: { status: 'SUCCESS', message: 'Loaded posts', data: posts }, status: :ok
      end
    end
  end
end

Don’t forget to set up your routes in config/routes.rb:

Rails.application.routes.draw do
  post 'login', to: 'authentication#login'
  namespace :api do
    namespace :v1 do
      resources :posts, only: [:index]
    end
  end
end

Now, when a user wants to access the posts, they first need to log in to get a token. They can then use this token in subsequent requests to access protected resources.

Here’s how you might use this in practice:

1. First, a user would log in:

POST /login
{
  "email": "[email protected]",
  "password": "password123"
}

If successful, this would return a token:

{
  "token": "eyJhbGciOiJIUzI1NiJ9..."
}

2. Then, to access protected resources, include this token in the Authorization header:

GET /api/v1/posts
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...

This setup provides a solid foundation for JWT authentication in your Rails API. However, there are a few more things to consider for a production-ready system.

First, you might want to add token expiration. You can do this by including an expiration time in the JWT payload and checking it in the AuthorizeApiRequest service.

Second, consider implementing refresh tokens. These are long-lived tokens that can be used to obtain new access tokens without requiring the user to log in again.

Third, think about token revocation. Since JWTs are stateless, you can’t simply delete them server-side like you would with session-based authentication. One approach is to maintain a blacklist of revoked tokens.

Fourth, always use HTTPS in production to protect the tokens in transit.

Lastly, remember that while JWTs are great for stateless authentication, they’re not suitable for storing sensitive information. The payload of a JWT is encoded, not encrypted, which means anyone can read its contents if they have the token.

Implementing JWT authentication in your Rails API opens up a world of possibilities. It allows you to build stateless, scalable applications that can easily integrate with various front-end frameworks or mobile apps. Plus, it’s a great skill to have in your toolbox as a Rails developer.

As you work with JWTs, you’ll likely encounter various challenges and edge cases. Don’t get discouraged! Each problem you solve will deepen your understanding and make you a better developer. Remember, the Rails community is vast and supportive, so don’t hesitate to reach out for help when you need it.

Happy coding, and may your tokens always be valid!