Ask A Question

Notifications

You’re not receiving notifications from this thread.

JSON Web Token Authentication From Scratch Discussion

Masud Rana Hossain Masud Rana Hossain

So does this mean that the authentication is now also a token based API? Is this testable on postman?

I redid my whole authentication because I found that the Devise gem (the way it came out of the box) wasn't allowing me to make it into a token based API for me to use with my iOS app.

Reply

This setup is for only accepting tokens to authenticate on the API. You can just pass over the Authorization header in Postman to test it out. You'll need a valid token, but just pass in "Authorization: bearer YOURTOKEN" as the header and that should do it.

Btw, the other episode I posted today shows how you can take this code and add it as a Devise strategy so you can use tokens to authenticate with Devise alongside cookies. Check that one out so you can see how to use Devise with it. :)

Reply

Hey Chris,

Thanks for the great episode. There is a thing though that I don't understand. There can be many tokens for the same user (for instance the user logs in again --> everything is the same except secret signature OR a fake one that has the same payload). According to my understanding, to make sure everything goes fine you should check against the secret signature, but I don't see it in the video. When you create a token and send it back to the user, shouldn't you also save the token or at least the secret signature part of the token? Then when the client sends over the token you can check if the secret signature in the db is the same as in the request.

What you do in the video is only checking the payload part, and I don't really understand how that could work securely.

Reply

The JWT gem we use verifies the signature every time you call decode on it, so every token is verified, as well as the expirations and other features it supports. It's fine to have multiple tokens per user (one for each device for example) but because things can change you want to use expirations so they can get a more recent version of the token. There's no need to store anything server-side in the db because this is designed to be stateless.

Does that make more sense?

Reply

Very nice tutorial @excid3:disqus really made a lot of things clear.

Reply

Such a great JWT series!! Thank you so much!
Really saving my life!)

Reply

Love the suggestion about rescuing and raising, really appreciate the UX thought in the comment.

Reply

i am looking at adding an API to my app i want to keep it simple like many other apps uses and a single API key for the account to access my account data.

All these tutorials seemed geared towards user based authentication.

is one way better or worse than the other?

Reply

Hi Chris,
I am having some troubles and was woundering if you could help me out.
I am getting an 'NoMthodError (undefined method valid_password? for #' when trying to get a JTW. I already checked that the user thqt find_by() gives back return is not nil. I dont know what else to do.
Thanks in advance.

Reply

Use Devise to create the User because valid_password? is a Devise method.

Reply

I want to implement a cookieless sessions part of my site. It runs in an iframe and cookies are causing a lot of problems. Would JWT auth be good for this? The main stumbling block i think is secruity. Is it safe to write the token into the links on each page so that the token is passed on each request? It seems like that wouldn't be secure as hackers could grab it and use it to login.

Reply

Yeah, that's the main argument for using cookies. They can't be stolen easily because the browser secure them. It also introduces some annoyances building services with iframes and things. CORS is confusing, but may be able to solve your problems with cookies. JWTs have to be stored in LocalStorage and that means they aren't really stored securely if Javascript can access it.

Reply

Hi Chris. CORS isn't enough in this case. I'm hitting quite a few issues with ITP (https://webkit.org/blog/9521/intelligent-tracking-prevention-2-3/) on safari, and that is soon going to be an issue on the other browsers. That is workaroundable with Storage Access API, however when users open sites within a facebook/instagram/whatever type app, the site is opened in a WKWebView which doesn't like cookies at all and I don't think can be worked around. Hence the thoughts around using tokens. My current plan is to use shortlived tokens that are added to all the site links. Which sounds very not secure.

Reply

Hi, I was following this tutorial and I got a lot of errors from the authentication. using the curl -v --data command in the terminal returns HTML, but when I comment out the skip_before_action :authenticate_token! in the authentication controller it works like in the video only thing is I have to also comment out 'before_action :authenticate_user!' in the ApiController ...but here you have everything uncommented and it works

Reply

Hi @AshakaE, did you ever get a solution to this?

Reply

hi , anyone knows how to logout (destroy method) from these JWTs

Reply

Not exactly, what you can do is send an expired JWT when the user logs out so it invalidates other actions .

Reply

but what if the user remembers a valid previous JWT and sends a request even if he is logged out?

Reply

I followed the steps in this video but keep getting an error:


TypeError
in Api::V1::AuthenticationController#create




no implicit conversion of Symbol into Integer

Did I miss anything? In the end I copied directly from the repo for each file and I keep getting this.

Reply
Join the discussion
Create an account Log in

Want to stay up-to-date with Ruby on Rails?

Join 87,563+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.