Back to nebulab.it

Authentication with Rails, JWT and ReactJS

March 13, 2015 by Andrea Pavoni in rails, javascript, react

Here at Nebulab we love to hack with new exciting technologies, that’s why we dedicate 20% of our work time for study and open source contribution. In this post we’ll cover authentication made with Rails, JSON Web Tokens and ReactJS.

How JSON Web Token works

JSON Web Token (aka JWT) is a useful standard becoming more prevalent, it allows you to sign information with a signature that can be verified at a later time with a secret signing key. It is a perfect solution for single page apps, avoiding the use of sessions to allow communication between a client (not necessarily a browser) and a server. In its simplest form, JWT is composed by three URL encoded parts:

  • Header: it represents the metadata for the token and contains at least the type of the signature and/or encryption algorithm
  • Claims: is the information you want to sign
  • JSON Web Signature (JWS): it is composed by the header and the claims digitally signed using the algorithm specified in the header

Here is a basic example of how to generate a JWT with plain Javascript:

// Header
var header = {
  "alg": "HS256", // algorithm used for the  signature
  "typ": "JWT"    // the type of token
};

// Claims
var claims = {
  "id": "1234567890",
  "name": "John Doe",
  "email": "johndoe@example.com"
};

// Signature
var payload = base64UrlEncode(header) + "." + base64UrlEncode(claims);
var signature = HMACSHA256(payload, 'my_secret');

// JWT
var myJWT = payload + "." + signature;

The server side

We’re using Rails for the server side part, so we installed the jwt gem and wrote some code to integrate it inside our app:

# lib/json_web_token.rb

class JsonWebToken
  class << self
    def encode(payload, exp = 24.hours.from_now)
      payload[:exp] = exp.to_i
      JWT.encode(payload, Rails.application.secrets.secret_key_base)
    end

    def decode(token)
      body = JWT.decode(token, Rails.application.secrets.secret_key_base)[0]
      HashWithIndifferentAccess.new body
    rescue
      # we don't need to trow errors, just return nil if JWT is invalid or expired
      nil
    end
  end
end

Authenticating the user with email and password

At this point, we needed two workflows: the first one only happens the first time the user authenticates. Once the user’s identity is verified, the JWT is created. Note: We used simple_command gem to manage this part, it helped a lot in keeping Rails controllers and models very slim.

# app/commands/authenticate_user.rb

class AuthenticateUser
  prepend SimpleCommand

  def initialize(email, password)
    @email = email
    @password = password
  end

  def call
    JsonWebToken.encode(user_id: user.id) if user
  end

  private

  attr_accessor :email, :password

  def user
    user = User.by_email(email)
    return user if user && user.authenticate(password)

    errors.add :user_authentication, 'invalid credentials'
    nil
  end
end

Followed by the controller that uses it:

# app/controllers/authentication_controller.rb

class AuthenticationController < ApplicationController
  skip_before_action :authenticate_request

  def authenticate
    command = AuthenticateUser.call(params[:email], params[:password])

    if command.success?
      render json: { auth_token: command.result }
    else
      render json: { error: command.errors }, status: :unauthorized
    end
  end
end
Authentication on following requests

The second part is related to authenticating the requests from client using the JWT we generated during user authentication:

# app/commands/authenticate_api_request.rb

class AuthenticateApiRequest
  prepend SimpleCommand

  def initialize(headers = {})
    @headers = headers
  end

  def call
    user
  end

  private

  attr_reader :headers

  def user
    @user ||= User.find(decoded_auth_token[:user_id]) if decoded_auth_token
    @user || errors.add(:token, 'Invalid token') && nil
  end

  def decoded_auth_token
    @decoded_auth_token ||= JsonWebToken.decode(http_auth_header)
  end

  def http_auth_header
    if headers['Authorization'].present?
      return headers['Authorization'].split(' ').last
    else
      errors.add :token, 'Missing token'
    end
    nil
  end
end

And again, the controller part:

class ApplicationController < ActionController::API
  before_action :authenticate_request

  attr_reader :current_user
  helper_method :current_user

  private

  def authenticate_request
    @current_user = AuthenticateApiRequest.call(request.headers).result

    render json: { error: 'Not Authorized' }, status: 401 unless @current_user
  end
end

As you can see it is very simple and similar to session based authentication. The only difference is the fact that we are dealing with a token instead of a cookie.

The client side

Of course, the browser doesn’t know how to deal with JWTs and thus, it needs to store the JWT for its subsequent requests. To make this possible, we relied on a relatively recent feature of HTML5 called localStorage that allows to store key/value pairs on the browser. For the Javascript part we chose ReactJS, but keep in mind that this is possible using plain Javascript and we just wrapped the necessary code inside our app.

Setup

Before proceedeing it’s important to highlight the fact that we skipped the default Rails asset pipeline and relied on a stack based on NodeJS, Browserify and Gulp with a bunch of plugins. The main reason is the fact that the NodeJS (and npm) stack is easier, faster and kept updated, without having to deal with wrapper gems. To adapt your rails app is quite easy, just edit config/application.rb and disable the javascript asset generator:

# ...

module JWTReactApp
  class Application < Rails::Application
    # more configs...

    config.generators do |generate|
      # DISABLE ASSET GENERATORS
      generate.javascript_engine false
      # more generator configs...
    end
  end
end

Setup the NodeJS packages we’re going to use through package.json:

{
  "name": "my_react_app",
  "version": "0.0.0",
  "description": "ReactJS app",
  "main": "index.js",
  "scripts": {},
  "author": "Andrea Pavoni",
  "license": "MIT",
  "homepage": "",
  "dependencies": {
    "browserify": "^8.1.3",
    "coffee-react": "^2.4.1",
    "coffee-reactify": "^2.1.0",
    "coffee-script": "^1.9.1",
    "gulp": "^3.8.11",
    "gulp-browserify": "^0.5.1",
    "gulp-rename": "^1.2.0",
    "gulp-size": "^1.2.1",
    "gulp-util": "^3.0.4",
    "jquery": "^2.1.3",
    "react": "^0.12.2"
  }
}

Finally a basic a gulpfile.coffee to manage the tasks. These will work like rake in the Ruby world. In our case, it exposes build and watch, which respectively bundles all the javascripts in one file and watches the filesystem for changes to javascripts to rebuild:

gulp = require("gulp")
gutil = require("gulp-util")
browserify = require("gulp-browserify")
rename = require("gulp-rename")
size = require("gulp-size")

JS_SRC='./app/assets/javascripts'
DEST='public'
JS_BUNDLE='app'

gulp.task 'build', ->
  gulp.src("#{JS_SRC}/application.coffee", { read: false })
    .pipe(browserify(
      transform: ['coffee-reactify']
      extensions: ['.coffee']
    ))
    .on("error", gutil.log)
    .pipe(rename("#{JS_BUNDLE}.js"))
    .pipe gulp.dest("#{DEST}/js")
    .pipe(size showFiles: true, title: "Plain JS")

gulp.task "watch", ->
  gulp.watch "#{JS_SRC}/**/*.coffee", ['build']

gulp.task "default", ["build"]

NOTE: For those not confident with CoffeeScript, you can easily translate it into plain Javascript with js2coffee online tool.

The client side, for real

Our initial implementation started with a simple utility library to manage the authentication for the client side:

# app/assets/javascripts/lib/auth.coffee

authenticateUser = (email, password, callback) ->
  $.ajax '/authenticate',
    type: 'POST'
    data: {email: email, password: password}
    success: (resp) ->
      callback(authenticated: true, token: resp.auth_token)
    error: (resp) ->
      callback(authenticated: false)

module.exports =
  login: (email, pass, callback) ->
    if @loggedIn()
      callback(true) if callback
      @onChange true
      return

    authenticateUser email, pass, (res) =>
      authenticated = false
      if res.authenticated
        localStorage.token = res.token
        authenticated = true

      callback(authenticated) if callback
      @onChange authenticated

  getToken: ->
    localStorage.token

  logout: (callback) ->
    delete localStorage.token
    callback() if callback
    @onChange(false)

  loggedIn: ->
    !!localStorage.token

  onChange: ->

As you can see, it is very simple, we have a Javascript object which exposes some methods and helpers. The main one, login, makes an AJAX request with user credentials to the server endpoint. If credentials are correct, it will store the resulting JWT from the server response and stores it on localStorage. The JWT will then be used to make authenticated requests to the server.

Finally we integrated it inside the main application component:

# app/assets/javascripts/application.coffee

React = require 'react'
Auth = require './lib/auth'
# other requires...

App = React.createClass
  getInitialState: ->
    loggedIn: Auth.loggedIn()

  setStateOnAuth: (loggedIn) ->
    @setState loggedIn: loggedIn

  componentWillMount: ->
    Auth.onChange = @setStateOnAuth

  render: ->
    # React's render ...

And here’s how we use it for the authenticated requests:

# app/assets/javascripts/notifications_list.coffee

React = require 'react'
Auth = require '../lib/auth'
# other requires...

module.exports = React.createClass
  getInitialState: ->
    return {results: []}

  componentDidMount: ->
    $.ajax '/notifications',
      headers:
        'Authorization': "Bearer #{Auth.getToken()}"
      success: (data) =>
        @setState({results: data.notifications})
  render: ->
    # React's render ...

As you can see, we need to set an authorization token header for our requests. The code is simple for didactic purposes, in a real scenario it might be useful to create a custom helper to append the authentication header token in each request by default.

Conclusions

We’ve only scratched the surface, but the intent of this article was to offer a gentle introduction. We’re happy to listen to your feedbacks and questions, if you want some more in-depth article, please let us know :-)