Authentication for Modern Web Apps
Proof is JWT Authentication with Rails Made Easy. It is designed for web applications which must authenticate users with Rails APIs. It is:
- Based on JWT, a secure, open authentication standard.
- Easy to Use and Modular. It works out of the box with Devise, and can easily be customized to work with any database setup.
- Designed for Single-Page Applications and API-Driven experiences.
When your web application send a POST request to the login action with an identifier (email, username, etc.) and password, proof authenticates the user and creates a JWT token. This token is encrypted and signed using a secret key generated by your rails application, so a hacker who gets a hold of it can't modify it. The token identifies the user it will authenticate for and an expiration time. Your web application stores the token and sends it as an HTTP header with every request. Proof will take care of authenticating the token, verifying it is not expired, and retrieving the current User on every request, so you just need to add a before_action call for the actions you want to restrict to authenticated users.
In your Gemfile:
gem 'proof-rails', require: "proof"
To quickly start using proof with Devise, use the generator:
rails generate proof:devise User
Where User is the class name of your User model.
For other authentication solutions or custom Devise setups, you must first use proof_actions in the controller you would like the login route to be on:
class AuthenticationController < ActionController::Base
proof_actions
end
proof_actions will create a login action on the controller it is called in. This login action will accept the parameters identifier and password. Proof will use these parameters to authenticate the corresponding user and create a JWT token. If the parameters correspond to a nonexistant or invalid user, proof will return an error message with the status 401 Unauthorized.
proof_actions accepts a number of options, allowing you to configure it for any authentication setup:
proof_actions authenticatable: :User, identifier: :email, password: :password, authenticate: :authenticate
authenticatable: specifies the name of the model which represents your users.
identifier: specifies the name of the field which uniquely identifies each user, and which the user uses to log in. For devise, this is the email field.
password: specifies the name of the param which holds the password used to authenticate a user. This is almost always password, but sometimes the param goes by a different name.
authenticate: specifies the name of the method on the User model which accepts a password to authenticate the user. This is the name of an instance method on the User model which accepts the password param, and returns either true or false to indicate authentication.
By default proof will handle invalid token by rendering json like so:
{ error: "Invalid Credentials." }
To customize this you have to options you can pass to proof_actions.
error_json: which allows you to fully overide the default json. Used like so:
proof_actions authenticatable: :User, authenticate: :valid_password?, error_json: { errors: { general: [ "Not Authorized" ] } } do |user, token|
Api::V1::SessionSerializer.new(user).attributes
end
raise_error: which instead of rendering json will trigger an exception that can be handled like so:
rescue_from Proof::NotAuthorizedError, with: :user_not_authorized
This will likely need to be in the ApplicationController.
The usage looks like:
Used like so:
proof_actions authenticatable: :User, authenticate: :valid_password?, raise_error: true do |user, token|
Api::V1::SessionSerializer.new(user).attributes
end
Proof also allows for a optional block that returns a hash to modify the json return
proof_actions authenticatable: :User do |user, token|
{
user_id: user.id,
email: user.email,
auth_token: token
}
end
When your application sends a POST request to the login action, it will return JSON with the key auth_token if it finds a valid user. Your application must then save this token and send it with every request under the Authorization HTTP header, in the Bearer format: Bearer [token].
You must route the login action yourself. For example, if you had a controller named AuthenticationController, you could create a /login route like so:
post '/login', to: 'authentication#login'
In order to restrict an action to authenticated users, simply use a before_action call for the actions you'd like to restrict:
before_action :require_proof, only: [:index, :show]
require_proof accepts the option authenticatable, representing the name of the User class. This is User by default. If you'd like to change it, you must call before_action like so:
before_action only: [:index, :show] do
require_proof authenticatable: :User
end
Where :User is the name of the model class representing your users.
Proof gives you access to the following helper methods in the views and the controllers:
current_user Returns the current authenticated user in the controller and the views. For example:
before_action :require_proof, only: :index
def index
@posts = current_user.posts
end
If you need to access the token yourself you can use Proof::Token.
For example if you want to send a token in a Serializer you can create the token like so.
Proof::Token.from_data({ user_id: object.id }, false, secret, 'HS256', expiration_date)
The parameters look like this:
- data
- expire_token = true
- secret_key = Rails.application.secrets.secret_key_base
- algorithm = 'HS256'
- expiration_date = 24.hours.from_now.to_i
To be used correctly data always needs a valid user_id.
Proof is fully-tested using MiniTest. Make sure to write tests for new functionality you add in, and run rake test before pushing your changes.
To help out, either contribute to this repository, or write adapters for popular client-side libraries, such as Ember, Angular, and React.