Tinytokenauth::Rails
This gem wants to help you with user authentication without bloating up beyond what is required. It uses a JWT (JSON Web Token) in a cookie to store session state in the browser.
Since the JWT is signed with a secret, and this signature is verified server-side, the user can't tamper with its contents. Its content is not encrypted, so frontend libraries can use this information if they need to distinguish between 'signed in' vs 'signed out' state.
Installation
Install the gem and add to the application's Gemfile by executing:
$ bundle add tinytokenauth-rails
If bundler is not being used to manage dependencies, install the gem by executing:
$ gem install tinytokenauth-rails
Usage
Include the module Tinytokenauth::Authorizable wherever you need to sign a user in/out or want to know if a user is signed in or not.
One option is to do this in ApplicationController, so the useful methods from this gem are available everywhere
# app/controller/application_controller.rb
class ApplicationController < ActionController::Base
include Tinytokenauth::Authorizable
before_action :set_current_user
end
You will then have the user set in the variable @current_user or this will be nil if no user is signed in.
If a signed in user is required for some action, you can use the following pattern, the content of the block after
require_current_user is an example and depends on your project
class PostsController < ApplicationController
before_action ->{ require_current_user do
# new_session_path is a route you need to setup same for the controller
redirect_to new_session_path(forward_to: request.path), notice: "Please sign in again"
end }, only: [:new, :create]
# ...
end
User authentication need to be managed by yourself, afterwards you can leverage the helper method to sign the user in with the token
Below is an example how you can handle this yourself
class SessionsController < ApplicationController
def new
end
def create
user = User.find_by_email(params[:email]) # This depends on your use case
if user&.authenticate(params[:password]) # This depends on your use case, this method comes from 'has_secure_password' in the model
sign_in_with_token user # THIS IS FROM Tinytokenauth
redirect_to params[:forward_to] || root_path, notice: 'Signed in!'
else
flash[:alert] = 'NOT signed in!'
render 'new', status: :unauthorized
end
end
def destroy
sign_out_with_token # THIS IS FROM Tinytokenauth
redirect_to params[:forward_to] || root_path, notice: 'Signed out!'
end
end
If you want to configure the gem, please create a custom initializer like the one below. The values show below are the defaults
# config/initializers/tinytokenauth.rb
require 'tinytokenauth'
Tinytokenauth.configure do |config|
config.user_class = 'User' # what is your modal that needs to be checked for a signed in user?
config.token_validity_hours = 24 # how long should a token be valid?
config.token_secret = Rails.application.credentials.secret_key_base # with which secret is the JWT signed?
config.token_auto_renew_hours = 4 # if the token expires in less than X hours, renew it automatically
config. = 'ttauth' # what should be the name of the cookie that stores the auth information
end
Development
After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and the created tag, and push the .gem file to rubygems.org.
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/tinytokenauth-rails.
License
The gem is available as open source under the terms of the MIT License.