'working' WIP on API user auth

GreaterGamersLounge · Jan 7, 2020 · 5e21a4b · 5e21a4b
1 parent f972f79
commit 5e21a4b
Show file tree

Hide file tree

Showing 32 changed files with 84 additions and 370 deletions.
diff --git a/Gemfile b/Gemfile
@@ -18,6 +18,7 @@ gem 'jbuilder', '~> 2.7'
 # Use Active Model has_secure_password
 # gem 'bcrypt', '~> 3.1.7'
 gem 'devise'
+# gem 'jwt'
 
 # Use Active Storage variant
 # gem 'image_processing', '~> 1.2'

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1,2 +1,40 @@
+# frozen_string_literal: true
+
 class ApplicationController < ActionController::Base
+  # Prevent CSRF attacks by raising an exception.
+  # For APIs, you may want to use :null_session instead.
+  protect_from_forgery with: :null_session
+  skip_before_action :verify_authenticity_token
+
+  respond_to :json
+
+  before_action :authenticate_user
+
+  private
+
+  def authenticate_user!(options = {})
+    head :unauthorized unless signed_in?
+  end
+
+  def current_user
+    @current_user ||= super || User.find(@current_user_id)
+  end
+
+  def signed_in?
+    @current_user_id.present?
+  end
+
+  def authenticate_user
+    if request.headers['Authorization'].present?
+      authenticate_or_request_with_http_token do |token|
+        begin
+          jwt_payload = JWT.decode(token, Rails.application.secrets.secret_key_base).first
+
+          @current_user_id = jwt_payload['id']
+        rescue JWT::ExpiredSignature, JWT::VerificationError, JWT::DecodeError
+          head :unauthorized
+        end
+      end
+    end
+  end
 end
diff --git a/app/controllers/dashboards_controller.rb b/app/controllers/dashboards_controller.rb
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class SessionsController < Devise::SessionsController
+  def create
+    user = User.find_by_email(sign_in_params[:email])
+
+    if user && user.valid_password?(sign_in_params[:password])
+      @current_user = user
+    else
+      render json: { errors: { 'email or password' => ['is invalid'] } }, status: :unprocessable_entity
+    end
+  end
+end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -1,5 +1,5 @@
 class UsersController < ApplicationController
-  before_action :set_user, only: [:show, :edit, :update, :destroy]
+  # before_action :set_user, only: [:show, :edit, :update, :destroy]
   before_action :authenticate_user!
 
   # GET /users
@@ -29,10 +29,8 @@ def create
 
     respond_to do |format|
       if @user.save
-        format.html { redirect_to @user, notice: 'User was successfully created.' }
         format.json { render :show, status: :created, location: @user }
       else
-        format.html { render :new }
         format.json { render json: @user.errors, status: :unprocessable_entity }
       end
     end
@@ -43,10 +41,8 @@ def create
   def update
     respond_to do |format|
       if @user.update(user_params)
-        format.html { redirect_to @user, notice: 'User was successfully updated.' }
         format.json { render :show, status: :ok, location: @user }
       else
-        format.html { render :edit }
         format.json { render json: @user.errors, status: :unprocessable_entity }
       end
     end
@@ -57,7 +53,6 @@ def update
   def destroy
     @user.destroy
     respond_to do |format|
-      format.html { redirect_to users_url, notice: 'User was successfully destroyed.' }
       format.json { head :no_content }
     end
   end
@@ -71,11 +66,8 @@ def set_user
     # Never trust parameters from the scary internet, only allow the white list through.
     def user_params
       params.require(:user).permit(
-        :username,
         :email,
-        :password,
-        :salt,
-        :encrypted_password
+        :password
       )
     end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -3,4 +3,18 @@
 class User < ApplicationRecord
   devise :database_authenticatable, :lockable,
          :recoverable, :rememberable, :validatable, :trackable
+
+  validates :email,
+    presence: true,
+    uniqueness: true,
+    format: { with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i }
+
+  def generate_jwt
+    JWT.encode({
+        id: id,
+        exp: 7.days.from_now.to_i
+      },
+      Rails.application.secrets.secret_key_base
+    )
+  end
 end
diff --git a/app/views/dashboards/show.html.erb b/app/views/dashboards/show.html.erb
diff --git a/app/views/devise/registrations/create.json.jbuilder b/app/views/devise/registrations/create.json.jbuilder
@@ -0,0 +1,3 @@
+json.user do |json|
+  json.partial! 'users/user', user: current_user
+end
diff --git a/app/views/devise/sessions/create.json.jbuilder b/app/views/devise/sessions/create.json.jbuilder
@@ -0,0 +1,3 @@
+json.user do |json|
+  json.partial! 'users/user', user: current_user
+end
diff --git a/app/views/users/_form.html.erb b/app/views/users/_form.html.erb
diff --git a/app/views/users/_user.json.jbuilder b/app/views/users/_user.json.jbuilder
@@ -1,2 +1,3 @@
 json.extract! user, :id, :created_at, :updated_at
 json.url user_url(user, format: :json)
+json.token user.generate_jwt
diff --git a/app/views/users/confirmations/new.html.erb b/app/views/users/confirmations/new.html.erb
diff --git a/app/views/users/edit.html.erb b/app/views/users/edit.html.erb
diff --git a/app/views/users/index.html.erb b/app/views/users/index.html.erb
diff --git a/app/views/users/mailer/confirmation_instructions.html.erb b/app/views/users/mailer/confirmation_instructions.html.erb
diff --git a/app/views/users/mailer/email_changed.html.erb b/app/views/users/mailer/email_changed.html.erb
diff --git a/app/views/users/mailer/password_change.html.erb b/app/views/users/mailer/password_change.html.erb
diff --git a/app/views/users/mailer/reset_password_instructions.html.erb b/app/views/users/mailer/reset_password_instructions.html.erb
diff --git a/app/views/users/mailer/unlock_instructions.html.erb b/app/views/users/mailer/unlock_instructions.html.erb
diff --git a/app/views/users/new.html.erb b/app/views/users/new.html.erb
diff --git a/app/views/users/passwords/edit.html.erb b/app/views/users/passwords/edit.html.erb
diff --git a/app/views/users/passwords/new.html.erb b/app/views/users/passwords/new.html.erb
diff --git a/app/views/users/registrations/edit.html.erb b/app/views/users/registrations/edit.html.erb