### 🔐 JWT Authentication Demo with Ruby & Rails
**What is JWT?**

A JSON Web Token (JWT) is a compact, self-contained way to securely transmit information between parties as a JSON object, digitally signed to ensure its integrity and authenticity—no need to maintain server-side session state 

**Why use JWT?**

>**Authentication**:

After a successful login, the client receives a token to include in subsequent requests (via Authorization: Bearer <token>), granting access to protected resources .

>**Scalability & simplicity**:

Because JWTs are stateless and self-verifiable, they eliminate the need for server-side session storage, making them ideal for APIs and distributed systems .

Tutorial: 
🔐 [Rails JWT Authentication: A Practical Guide
Secure your Rails API with JSON Web Tokens — in a few clear steps](https://medium.com/jungletronics/rails-jwt-authentication-a-practical-guide-ed62126e0f70)

🛠 Prerequisite: Ensure your Rails app is running on port 3000.
The code below simulates requests made via Postman:

In [1]:
require 'net/http'
require 'json'
require 'uri'

BASE = "http://localhost:3000"

# 1️⃣ Cadastro de usuário
signup_uri = URI("#{BASE}/users")
signup_req = Net::HTTP::Post.new(signup_uri, 'Content-Type' => 'application/json')
signup_req.body = { username: "testuser", password: "123456", bio: "Full Stack Dev" }.to_json
signup_res = Net::HTTP.start(signup_uri.hostname, signup_uri.port) { |http| http.request(signup_req) }
puts "Signup #{signup_res.code}: #{signup_res.body}"

# 2️⃣ Login para obter o token
login_uri = URI("#{BASE}/auth/login")
login_req = Net::HTTP::Post.new(login_uri, 'Content-Type' => 'application/json')
login_req.body = { auth: { username: "testuser", password: "123456" } }.to_json
login_res = Net::HTTP.start(login_uri.hostname, login_uri.port) { |http| http.request(login_req) }
puts "Login #{login_res.code}: #{login_res.body}"

token = JSON.parse(login_res.body)["token"]
puts "Token captured: #{token}"

# 3️⃣ Chamada ao endpoint protegido '/me'
me_uri = URI("#{BASE}/me")
me_req = Net::HTTP::Get.new(me_uri)
me_req['Authorization'] = "Bearer #{token}"
me_res = Net::HTTP.start(me_uri.hostname, me_uri.port) { |http| http.request(me_req) }
puts "ME #{me_res.code}: #{me_res.body}"


Signup 201: {"id":1,"username":"testuser","bio":"Full Stack Dev"}
Login 200: {"user":{"id":1,"username":"testuser","password_digest":"$2a$12$Un2EP3qJovlgyjE0ahz5EuOCw9VezWskMcoqXHJPCiQcEd91MkHqK","bio":"Full Stack Dev","created_at":"2025-07-03T15:23:22.637Z","updated_at":"2025-07-03T15:23:22.637Z"},"token":"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJleHAiOjE3NTE2NDI2MDJ9.DgOkQQ-RJF1U7T6ZlBwHUycuwA6SlZ-P3rLac2htXfI"}
Token captured: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJleHAiOjE3NTE2NDI2MDJ9.DgOkQQ-RJF1U7T6ZlBwHUycuwA6SlZ-P3rLac2htXfI
ME 200: {"id":1,"username":"testuser","bio":"Full Stack Dev"}


#### How this script works:
```
Step 1: Sends a POST to /users with a JSON body to create a user.
Step 2: Sends a POST to /auth/login to authenticate and captures the token from the response.
Step 3: Sends a GET to /me, using the token in the Authorization header, and prints the response.
```
This perfectly simulates the Postman flow (Signup → Login → Me) in Ruby.

#### Breakdown
Construct the URI
```
signup_uri = URI("#{BASE}/users"
```
Creates a URI object pointing to your app’s user‑signup endpoint.

Build a POST request
```
Net::HTTP::Post.new(signup_uri, 'Content-Type' => 'application/json')
```
Initializes an HTTP POST request and sets the Content-Type header to JSON.

Attach the JSON payload
```
signup_req.body = { … }.to_json
```
Sets the request body to a JSON‑encoded hash containing username, password, and bio.

Execute the request

```
signup_res = Net::HTTP.start(hostname, port) do |http|
  http.request(signup_req)
end
```
Opens a connection to the server, sends your POST request, and returns an HTTP response.

Print the response
```
puts "Signup #{signup_res.code}: #{signup_res.body}"
Logs the HTTP status code (e.g. 201) and the response body—typically the created user or an error.
```
🔍 Why It Matters

**Persistent connection**: `Net::HTTP.start` creates a connection within a block; it handles opening and closing it automatically 

**Flexibility for headers and body**: Using `Net::HTTP::Post.new` lets you customize headers like Content-Type and attach any JSON payload .

**Readable response**: You get both `response.code` (e.g., 201 Created) and `response.body` to handle success or error outcomes.

💡 **Tip for Expandability**

Use `Net::HTTP.new` without start if you plan to make multiple requests in sequence and want to keep the connection open manually (must call #finish later)

#### Now lets Encode and Decode JWT using rails

In [2]:
# ✅ Step 1: Load needed gems inline
require 'bundler/inline'

gemfile(true) do
  source 'https://rubygems.org'
  gem 'bcrypt', '~> 3.1.7'
  gem 'jwt'
  gem 'rspec', '~> 3.0'
end

require 'bcrypt'
require 'jwt'
require 'rspec/autorun'




Fetching gem metadata from https://rubygems.org/...
Resolving dependencies...


true

In [3]:
# ✅ Step 3: JWT service (same as Rails)
class JsonWebToken
  SECRET_KEY = 'test_secret'

  def self.encode(payload, exp = 24 * 3600) # exp is the number of seconds from now
    payload[:exp] = Time.now.to_i + exp
    JWT.encode(payload, SECRET_KEY, 'HS256')
  end

  def self.decode(token)
    body = JWT.decode(token, SECRET_KEY, true, algorithm: 'HS256').first
    return nil if Time.now.to_i > body['exp']
    body
  rescue JWT::DecodeError
    nil
  end
end


:decode

In [4]:
token = JsonWebToken.encode(user_id: 1, user_bio: "Development")

"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VyX2JpbyI6IkRldmVsb3BtZW50IiwiZXhwIjoxNzUxNjQyNjAzfQ.SyTsxsoWnu4PV9XqNIvpZs7CFqCdPYTl9EbAsv-qhe4"

In [5]:
token = JsonWebToken.encode({ username: "testuser", password: "123456", bio: "Full Stack Dev" })

"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiIxMjM0NTYiLCJiaW8iOiJGdWxsIFN0YWNrIERldiIsImV4cCI6MTc1MTY0MjYwM30._cxoXWXqincQBwe1GooYQeedyiHw_XzNtj5KUwrUzBs"

In [6]:
token = JsonWebToken.encode(username: "testuser", password: "123456", bio: "Full Stack Dev")

"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwicGFzc3dvcmQiOiIxMjM0NTYiLCJiaW8iOiJGdWxsIFN0YWNrIERldiIsImV4cCI6MTc1MTY0MjYwM30._cxoXWXqincQBwe1GooYQeedyiHw_XzNtj5KUwrUzBs"

In [7]:
token = JsonWebToken.encode({ username: "testuser" }, 60)
# payload[:exp] = Time.now.to_i + 60 s (1 minutes)


"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwiZXhwIjoxNzUxNTU2MjYzfQ.3Sgxki-Ma6Hgfh954PUbGtcYxis5On7k9gPN3Amowcc"

#### Another approuch. 
This time we create a sort of salt. The secret key in dynamically created. You will need to use EDITOR="code --wait" rails credentials:edit command to set 

In [8]:
# ✅ Step 1: Load needed gems inline
require 'bundler/inline'

# Ensure bundler configuration is loaded so gems install correctly
require 'bundler'
Bundler.configure

gemfile(true) do
  source 'https://rubygems.org'
  gem 'bcrypt', '~> 3.1.7'
  gem 'jwt'
  gem 'rspec', '~> 3.0'
end

require 'bcrypt'
require 'jwt'
require 'rspec/autorun'

# ✅ Step 2: JSON Web Token helper
class JsonWebToken2
  GLOBAL_SECRET = "uma-chave-secreta-super-forte-aqui"
  # GLOBAL_SECRET = Rails.application.credentials.jwt.global_secret

  def self.encode(payload, exp = 24 * 3600, user: nil)
    payload[:exp] = Time.now.to_i + exp
    secret = GLOBAL_SECRET
    secret = "#{GLOBAL_SECRET}-#{user.id}-#{user.created_at.to_i}" if user
    JWT.encode(payload, secret, 'HS256')
  end

  def self.decode(token)
    decoded_header = JWT.decode(token, nil, false).first
    payload = decoded_header # sem validação ainda

    secret = GLOBAL_SECRET
    if payload['user_id']
      user = User.find_by(id: payload['user_id'])
      secret = "#{GLOBAL_SECRET}-#{user.id}-#{user.created_at.to_i}" if user
    end

    JWT.decode(token, secret, true, algorithm: 'HS256')[0]
  rescue JWT::DecodeError
    nil
  end
end


Fetching gem metadata from https://rubygems.org/...
Resolving dependencies...


:decode

In [9]:
token = JsonWebToken2.encode({ username: "testuser" }, 60)

"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRlc3R1c2VyIiwiZXhwIjoxNzUxNTU2MjY0fQ.PUGG4Otd-_-V7fTG2D2_WTblby-QUxxM8ENH-qJhNW8"

In [10]:
print "That's It . Thanks for reading"

That's It . Thanks for reading