### 🔐 JWT Authentication Demo with Ruby & Rails
**What is JWT?**

A JSON Web Token (JWT) is a compact, self-contained way to securely transmit information between parties as a JSON object, digitally signed to ensure its integrity and authenticity—no need to maintain server-side session state 

**Why use JWT?**

>**Authentication**:

After a successful login, the client receives a token to include in subsequent requests (via Authorization: Bearer <token>), granting access to protected resources .

>**Scalability & simplicity**:

Because JWTs are stateless and self-verifiable, they eliminate the need for server-side session storage, making them ideal for APIs and distributed systems .

Totorial: 
🔐 [Rails JWT Authentication: A Practical Guide
Secure your Rails API with JSON Web Tokens — in a few clear steps](https://medium.com/jungletronics/rails-jwt-authentication-a-practical-guide-ed62126e0f70)

🛠 Prerequisite: Ensure your Rails app is running on port 3000.
The code below simulates requests made via Postman:

In [1]:
require 'net/http'
require 'json'
require 'uri'

BASE = "http://localhost:3000"

# 1️⃣ Cadastro de usuário
signup_uri = URI("#{BASE}/users")
signup_req = Net::HTTP::Post.new(signup_uri, 'Content-Type' => 'application/json')
signup_req.body = { username: "testuser", password: "123456", bio: "Full Stack Dev" }.to_json
signup_res = Net::HTTP.start(signup_uri.hostname, signup_uri.port) { |http| http.request(signup_req) }
puts "Signup #{signup_res.code}: #{signup_res.body}"

# 2️⃣ Login para obter o token
login_uri = URI("#{BASE}/auth/login")
login_req = Net::HTTP::Post.new(login_uri, 'Content-Type' => 'application/json')
login_req.body = { auth: { username: "testuser", password: "123456" } }.to_json
login_res = Net::HTTP.start(login_uri.hostname, login_uri.port) { |http| http.request(login_req) }
puts "Login #{login_res.code}: #{login_res.body}"

token = JSON.parse(login_res.body)["token"]
puts "Token captured: #{token}"

# 3️⃣ Chamada ao endpoint protegido '/me'
me_uri = URI("#{BASE}/me")
me_req = Net::HTTP::Get.new(me_uri)
me_req['Authorization'] = "Bearer #{token}"
me_res = Net::HTTP.start(me_uri.hostname, me_uri.port) { |http| http.request(me_req) }
puts "ME #{me_res.code}: #{me_res.body}"


Signup 201: {"id":1,"username":"testuser","bio":"Full Stack Dev"}
Login 200: {"user":{"id":1,"username":"testuser","password_digest":"$2a$12$g1wpd7Zwb9rmMTvFFNTypuFtXWeJIbYt37sgC1DYwB/4Ys63kdk/6","bio":"Full Stack Dev","created_at":"2025-07-04T14:33:10.597Z","updated_at":"2025-07-04T14:33:10.597Z"},"token":"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJleHAiOjE3NTE3MjU5OTB9.zGRxTgZi99SkIc9-HGy9_t8Zu2-5pRwKbXNN0vaD-VE"}
Token captured: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJleHAiOjE3NTE3MjU5OTB9.zGRxTgZi99SkIc9-HGy9_t8Zu2-5pRwKbXNN0vaD-VE
ME 200: {"id":1,"username":"testuser","bio":"Full Stack Dev"}


#### How this script works:
```
Step 1: Sends a POST to /users with a JSON body to create a user.
Step 2: Sends a POST to /auth/login to authenticate and captures the token from the response.
Step 3: Sends a GET to /me, using the token in the Authorization header, and prints the response.
```
This perfectly simulates the Postman flow (Signup → Login → Me) in Ruby.

#### Breakdown
Construct the URI
```
signup_uri = URI("#{BASE}/users"
```
Creates a URI object pointing to your app’s user‑signup endpoint.

Build a POST request
```
Net::HTTP::Post.new(signup_uri, 'Content-Type' => 'application/json')
```
Initializes an HTTP POST request and sets the Content-Type header to JSON.

Attach the JSON payload
```
signup_req.body = { … }.to_json
```
Sets the request body to a JSON‑encoded hash containing username, password, and bio.

Execute the request

```
signup_res = Net::HTTP.start(hostname, port) do |http|
  http.request(signup_req)
end
```
Opens a connection to the server, sends your POST request, and returns an HTTP response.

Print the response
```
puts "Signup #{signup_res.code}: #{signup_res.body}"
Logs the HTTP status code (e.g. 201) and the response body—typically the created user or an error.
```
🔍 Why It Matters

**Persistent connection**: `Net::HTTP.start` creates a connection within a block; it handles opening and closing it automatically 

**Flexibility for headers and body**: Using `Net::HTTP::Post.new` lets you customize headers like Content-Type and attach any JSON payload .

**Readable response**: You get both `response.code` (e.g., 201 Created) and `response.body` to handle success or error outcomes.

💡 **Tip for Expandability**

Use `Net::HTTP.new` without start if you plan to make multiple requests in sequence and want to keep the connection open manually (must call #finish later)

#### Now lets Encode and Decode JWT using rails

In [2]:
# ✅ Step 1: Load needed gems inline
require 'bundler/inline'

gemfile(true) do
  source 'https://rubygems.org'
  gem 'bcrypt', '~> 3.1.7'
  gem 'jwt'
  gem 'rspec', '~> 3.0'
end

require 'bcrypt'
require 'jwt'
require 'rspec/autorun'




Fetching gem metadata from https://rubygems.org/...
Resolving dependencies...


true

In [3]:
# ✅ Step 3: JWT service (same as Rails)
class JsonWebToken
  SECRET_KEY = 'test_secret'

  def self.encode(payload, exp = 24 * 3600) # exp is the number of seconds from now
    payload[:exp] = Time.now.to_i + exp
    JWT.encode(payload, SECRET_KEY, 'HS256')
  end

  def self.decode(token)
    body = JWT.decode(token, SECRET_KEY, true, algorithm: 'HS256').first
    return nil if Time.now.to_i > body['exp']
    body
  rescue JWT::DecodeError
    nil
  end
end


:decode

In [4]:
token = JsonWebToken.encode(user_id: 1, user_bio: "Development")

"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VyX2JpbyI6IkRldmVsb3BtZW50IiwiZXhwIjoxNzUxNzI1OTkyfQ.nxD25BMPxFWYzqlw0vVAh0IlzhV_STbOfSbr7FsIxqc"

In [5]:
token = JsonWebToken.encode({ username: "testuser", password: "123456", bio: "Full Stack Dev" })

"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiIxMjM0NTYiLCJiaW8iOiJGdWxsIFN0YWNrIERldiIsImV4cCI6MTc1MTcyNTk5Mn0.mN6hwVfG_8Q2OJZr4CFMqOjuHNxmJ9uh2-iD6PRuvas"

In [6]:
token = JsonWebToken.encode(username: "testuser", password: "123456", bio: "Full Stack Dev")

"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiIxMjM0NTYiLCJiaW8iOiJGdWxsIFN0YWNrIERldiIsImV4cCI6MTc1MTcyNTk5Mn0.mN6hwVfG_8Q2OJZr4CFMqOjuHNxmJ9uh2-iD6PRuvas"

In [7]:
token = JsonWebToken.encode({ username: "testuser" }, 60)
# payload[:exp] = Time.now.to_i + 60 s (1 minutes)


"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwiZXhwIjoxNzUxNjM5NjUyfQ.yxkAyyTJhMo48iFMVN8T-um-SEJEccceWkvijjEye94"

#### Another approuch. 
This time we create a sort of salt. The secret key in dynamically created. You will need to use EDITOR="code --wait" rails credentials:edit command to set 

In [8]:
# ✅ Step 1: Load needed gems inline
require 'bundler/inline'

# Ensure bundler configuration is loaded so gems install correctly
require 'bundler'
Bundler.configure

gemfile(true) do
  source 'https://rubygems.org'
  gem 'bcrypt', '~> 3.1.7'
  gem 'jwt'
  gem 'rspec', '~> 3.0'
end

require 'bcrypt'
require 'jwt'
require 'rspec/autorun'

# ✅ Step 2: JSON Web Token helper
class JsonWebToken2
  GLOBAL_SECRET = "uma-chave-secreta-super-forte-aqui"
  # GLOBAL_SECRET = Rails.application.credentials.jwt.global_secret

  def self.encode(payload, exp = 24 * 3600, user: nil)
    payload[:exp] = Time.now.to_i + exp
    secret = GLOBAL_SECRET
    secret = "#{GLOBAL_SECRET}-#{user.id}-#{user.created_at.to_i}" if user
    JWT.encode(payload, secret, 'HS256')
  end

  def self.decode(token)
    decoded_header = JWT.decode(token, nil, false).first
    payload = decoded_header # sem validação ainda

    secret = GLOBAL_SECRET
    if payload['user_id']
      user = User.find_by(id: payload['user_id'])
      secret = "#{GLOBAL_SECRET}-#{user.id}-#{user.created_at.to_i}" if user
    end

    JWT.decode(token, secret, true, algorithm: 'HS256')[0]
  rescue JWT::DecodeError
    nil
  end
end


Fetching gem metadata from https://rubygems.org/...
Resolving dependencies...


:decode

In [9]:
token = JsonWebToken2.encode({ username: "testuser" }, 60)

"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwiZXhwIjoxNzUxNjM5NjUyfQ.d5x5_FgmHf8fjYJAGuSG19PIa2_qByKm7Qj3VQ3oqdI"

### Overview of the Next Code - SESSIONS IN RAILS

#### 1. Purpose
This code demonstrates how Rails encrypts and decrypts session data (like an access token and user ID) using `ActiveSupport::MessageEncryptor`. 

This mechanism underpins **secure session** and **cookie storage** in Rails applications.

#### 2. Key Derivation

It begins by simulating a typical **Rails secret_key_base**.

Uses `ActiveSupport::KeyGenerator` to derive two strong keys:

One **for encryption**, using the **salt** *"authenticated encrypted cookie"*.

One **for signing**, using the **salt** *"signed encrypted cookie"*.
This process ensures cryptographic safety and consistency with Rails conventions. 

#### 3. MessageEncryptor Initialization

Creates a `MessageEncryptor with AES‑256‑GCM` (an authenticated encryption algorithm).

Data is serialized with JSON before encryption. 

#### 4. Encrypt & Sign

Takes a session-like Ruby hash:
```
session_data = { access_token: 'dummy.jwt.token', user_id: 42 }
encryptor.encrypt_and_sign(session_data) performs:
```
`Serialization → Encryption + Authentication Tag → Signing`

Produces a base64 string that's safe for transport (e.g., as a cookie or header).

#### 5. Decrypt & Verify

The same encryptor is used to reverse the process:

It validates integrity (via the tag and signature).

Decrypts the ciphertext.

Deserializes JSON back to the original hash.

If tampering is detected or the payload is invalid, an InvalidMessage exception is raised. 


##### Summary:
```
Rails uses ActiveSupport::MessageEncryptor to securely store session data. Keys are derived from secret_key_base with dedicated salts, ensuring confidentiality and authenticity via AES‑256‑GCM. This secure structure allows Rails to save sensitive session information (like JWT tokens) in cookies or server-side storage and safely retrieve it on each request.

```

In [10]:
require 'bundler/inline'

gemfile(true) do
  source 'https://rubygems.org'
  gem 'activesupport', '~> 8.0'
  gem 'json'
end


Fetching gem metadata from https://rubygems.org/........
Resolving dependencies...


[<Bundler::Dependency type=:runtime name="activesupport" requirements="~> 8.0">, <Bundler::Dependency type=:runtime name="json" requirements=">= 0">]

In [11]:
# ✅ Jupyter Cell: Simulating Rails session encryption & decryption

require 'active_support'
require 'active_support/message_encryptor'
require 'openssl'
require 'json'
require 'cgi'
require 'net/http'
require 'uri'
require 'jwt'

BASE = "http://localhost:3000"

# --- Part 1: Rails‑style Session Encryption ---

secret_key_base = 'a_secure_random_string_used_by_rails'

key_len = ActiveSupport::MessageEncryptor.key_len
key_generator = ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000)
secret = key_generator.generate_key('authenticated encrypted cookie', key_len)
sign_secret = key_generator.generate_key('signed encrypted cookie', key_len)

encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, cipher: 'aes-256-gcm', serializer: JSON)

session_data = { access_token: 'dummy.jwt.token', user_id: 42 }
cookie = encryptor.encrypt_and_sign(session_data)
puts "**Encrypted Rails‑style cookie:**\n#{CGI.escape(cookie)}"

cookie_unescaped = CGI.unescape(cookie)
decrypted = encryptor.decrypt_and_verify(cookie_unescaped)
puts "**Decrypted session data:**\n#{decrypted.inspect}"

# --- Part 2: Real Flow with Simulated Session and JWT ---

# 1️⃣ Signup
signup_uri = URI("#{BASE}/users")
signup_req = Net::HTTP::Post.new(signup_uri, 'Content-Type' => 'application/json')
signup_req.body = { username: "testuser", password: "123456", bio: "Full Stack Dev" }.to_json
signup_res = Net::HTTP.start(signup_uri.hostname, signup_uri.port) { |http| http.request(signup_req) }
puts "\nSignup #{signup_res.code}: #{signup_res.body}"

# 2️⃣ Login (capture JWT token)
login_uri  = URI("#{BASE}/auth/login")
login_req  = Net::HTTP::Post.new(login_uri, 'Content-Type' => 'application/json')
login_req.body = { auth: { username: "testuser", password: "123456" } }.to_json
login_res  = Net::HTTP.start(login_uri.hostname, login_uri.port) { |http| http.request(login_req) }
token = JSON.parse(login_res.body)["token"] rescue nil
puts "Login #{login_res.code}: #{login_res.body}"

# 3️⃣ Simulate storing it in a Rails session
session = { access_token: token }
puts "Session stored token? => #{session[:access_token].nil? ? 'No' : 'Yes'}"

# 4️⃣ Call protected endpoint using the token
me_uri = URI("#{BASE}/me")
me_req = Net::HTTP::Get.new(me_uri)
me_req['Authorization'] = "Bearer #{session[:access_token]}"
me_res = Net::HTTP.start(me_uri.hostname, me_uri.port) { |http| http.request(me_req) }
puts "Protected /me → #{me_res.code}: #{me_res.body}"




**Encrypted Rails‑style cookie:**
S0T33hXolWH7nmVZ0mTwMQLTL1VLdONZJJ49CoZBjYjagSEf7K8dzm9ZBgn56D4%3D--15S5L9KF3oT63GHF--umwg%2FbqC4XFjD3OGaUiQ0w%3D%3D
**Decrypted session data:**
{"access_token" => "dummy.jwt.token", "user_id" => 42}

Signup 422: {"errors":["Username has already been taken"]}
Login 200: {"user":{"id":1,"username":"testuser","password_digest":"$2a$12$g1wpd7Zwb9rmMTvFFNTypuFtXWeJIbYt37sgC1DYwB/4Ys63kdk/6","bio":"Full Stack Dev","created_at":"2025-07-04T14:33:10.597Z","updated_at":"2025-07-04T14:33:10.597Z"},"token":"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJleHAiOjE3NTE3MjU5OTN9.QQIy2sAaEeUSs3syuOLgQFT2Ofj54OQSSpVv4cFdCas"}
Session stored token? => Yes
Protected /me → 200: {"id":1,"username":"testuser","bio":"Full Stack Dev"}


In [12]:
require 'active_support'
require 'active_support/message_encryptor'
require 'openssl'
require 'json'

# Simulate Rails secret_key_base
secret_key_base = 'a_secure_random_string_used_by_rails'
key_len = ActiveSupport::MessageEncryptor.key_len
key_gen = ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000)

secret      = key_gen.generate_key('authenticated encrypted cookie', key_len)
sign_secret = key_gen.generate_key('signed encrypted cookie', key_len)

encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, cipher: 'aes-256-gcm', serializer: JSON)

session_data = { access_token: 'dummy.jwt.token', user_id: 42 }

# ✨ Encrypt and sign
encrypted = encryptor.encrypt_and_sign(session_data)
puts "Encrypted (for display):\n#{CGI.escape(encrypted)}\n\n"

# 🔑 Properly decrypt
decrypted = encryptor.decrypt_and_verify(encrypted)
puts "Decrypted session data:\n#{decrypted.inspect}"


Encrypted (for display):
Y6PsTwz2yeainuSxAYNq51HTfAa90FcOpWduSP5cWScus%2F6z%2F91M7bO4t6sQu%2Fc%3D--MgJ%2FFYs62nDlwRcA--jI5TIoukmod2vGBz08Hm3g%3D%3D

Decrypted session data:
{"access_token" => "dummy.jwt.token", "user_id" => 42}


In [13]:
puts "That's it!. Thank you for reading!"

That's it!. Thank you for reading!
