You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: rails6/en/chapter04-athentification.adoc
+11-15Lines changed: 11 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,7 +27,7 @@ Before we go any further, something must be clear: *an API does not handle sessi
27
27
28
28
The flow for authenticating the user through an API is very simple:
29
29
30
-
. The client request for `sessions` resource with the corresponding credentials, usually email and password.
30
+
. The client request for `sessions` resource with the corresponding credentials (usually email and password)
31
31
. The server returns the `user` resource along with its corresponding authentication token
32
32
. For every page that requires authentication the client has to send that `authentication token`
33
33
@@ -42,10 +42,10 @@ When it comes to authentication tokens, there is a standard: the JSON Web Token
42
42
43
43
> JWT is an open standard defined in RFC 75191. It allows the secure exchange of tokens between several parties. - https://wikipedia.org/wiki/JSON_Web_Token_Web_Token[Wikipedia]
44
44
45
-
Overall, a JWT token is composed of three parts:
45
+
Overall a JWT token is composed of three parts:
46
46
47
47
- a *header* structured in JSON contains for example the validity date of the token.
48
-
- a _payload_ structured in JSON can contain *any data*. In our case, it will contain the identifier of the "connected" user.
48
+
- a *payload* structured in JSON can contain *any data*. In our case, it will contain the identifier of the "connected" user.
49
49
- a *signature* allows us to verify that the token has been encrypted by our application and is therefore valid.
50
50
51
51
These three parts are each encoded in base64 and then concatenated using points (`.`). Which gives us something like that:
@@ -100,7 +100,7 @@ The library is very simple. There are two methods: `JWT.encode` and `JWT.decode`
100
100
=> [{"message"=>"Hello World"}, {"alg"=>"HS256"}]
101
101
----
102
102
103
-
In the first line we encoded a _payload_ with the secret key _my_secret_key_. So we get a token we can simply decode. The second line decodes the token and we see that we find our _payload_ well.
103
+
In the first line we encoded a _payload_ with the secret key `my_secret_key`. So we get a token we can simply decode. The second line decodes the token and we see that we find our _payload_ well.
104
104
105
105
We will now include all this logic in a `JsonWebToken` class in a new file located in `lib/`. This will allow us to avoide duplicating the code. This class will just encode and decode the JWT tokens. So here is the implementation.
106
106
@@ -177,10 +177,10 @@ end
177
177
----
178
178
179
179
180
-
Before going any further, we will build functional tests. The desired behavior is the following:
180
+
We will build functional tests before going any further. The desired behavior is the following:
181
181
182
-
- if I send a valid email/password pair, I receive a token
183
-
- otherwise, I have a `forbidden` type response.
182
+
- I receive a token if I send a valid email / password pair
183
+
- otherwise server repond a `forbidden` response
184
184
185
185
The tests therefore materialize as follows:
186
186
@@ -211,7 +211,6 @@ end
211
211
212
212
You may be wondering: "but how can you know the user's password?". Simply use the `BCrypt::Password.create` method in the _fixtures_ of users:
So we implemented the following logic: API returns the authentication token to the client if credentials are correct .
298
-
299
-
We will now implement the following logic: Each time this client requests a protected page, we'll have to find the user from this authentication token that the user has passed in the HTTP header.
295
+
So we implemented the following logic: API returns the authentication token to the client if credentials are correct.
300
296
301
-
//pas compris
297
+
We will now implement the following logic: we'll find corresponding user of authentication token given into the HTTP header. We'll need to do so each time this client requests a protected page.
302
298
303
-
In our case, we will use the HTTP header `Authorization` which is often used for this. Personally, I find it the best way because it gives context to the request without polluting the URL with additional parameters.
299
+
We will use the HTTP header `Authorization` which is often used for this purpose. We may also use a GET parameter named `apiKey` but I prefer to use an HTTP header because it gives context to the request without polluting the URL with additional parameters.
304
300
305
301
We will therefore create a `current_user` method to meet our needs. It will find the user thanks to his authentication token which is sent on each request.
306
302
@@ -555,4 +551,4 @@ $ git merge chapter04
555
551
556
552
Yeah! you made it! you are half way done! Keep up the good work. This chapter was a long and hard one but it is a great step forward on setting a solid mechanism for handling user authentication. We even scratch the surface for simple authorization rules.
557
553
558
-
In the next chapter we will be focusing on customizing the JSON output for the user with `active_model_serializers` gem and adding a `product` model to the equation by giving the user the ability to create a product and publish it for sale.
554
+
In the next chapter we will be focusing on customizing the JSON output for the user with https://github.com/Netflix/fast_jsonapi[fast_jsonapi] gem and adding a `product` model to the equation by giving the user the ability to create a product and publish it for sale.
0 commit comments