Merge pull request #6 from andreobrown/add-jwt-token-authentication

Add jwt token authentication

Author: andreobrown

Gemfile

@@ -63,3 +63,5 @@ end
 gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw, :jruby]
 
 gem "devise", "~> 4.7", ">= 4.7.1"
+
+gem "devise-jwt", "~> 0.6.0"

Gemfile.lock

@@ -80,6 +80,19 @@ GEM
       railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
+    devise-jwt (0.6.0)
+      devise (~> 4.0)
+      warden-jwt_auth (~> 0.4)
+    dry-auto_inject (0.7.0)
+      dry-container (>= 0.3.4)
+    dry-configurable (0.9.0)
+      concurrent-ruby (~> 1.0)
+      dry-core (~> 0.4, >= 0.4.7)
+    dry-container (0.7.2)
+      concurrent-ruby (~> 1.0)
+      dry-configurable (~> 0.1, >= 0.1.3)
+    dry-core (0.4.9)
+      concurrent-ruby (~> 1.0)
     erubi (1.9.0)
     execjs (2.7.0)
     ffi (1.12.2)
@@ -90,6 +103,7 @@ GEM
     io-like (0.3.1)
     jbuilder (2.10.0)
       activesupport (>= 5.0.0)
+    jwt (2.2.1)
     listen (3.1.5)
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
@@ -188,6 +202,11 @@ GEM
       execjs (>= 0.3.0, < 3)
     warden (1.2.8)
       rack (>= 2.0.6)
+    warden-jwt_auth (0.4.2)
+      dry-auto_inject (~> 0.6)
+      dry-configurable (~> 0.9, < 0.11)
+      jwt (~> 2.1)
+      warden (~> 1.2)
     web-console (3.7.0)
       actionview (>= 5.0)
       activemodel (>= 5.0)
@@ -210,6 +229,7 @@ DEPENDENCIES
   chromedriver-helper
   coffee-rails (~> 4.2)
   devise (~> 4.7, >= 4.7.1)
+  devise-jwt (~> 0.6.0)
   jbuilder (~> 2.5)
   listen (>= 3.0.5, < 3.2)
   pg (>= 0.18, < 2.0)

README.md

@@ -80,4 +80,183 @@ Devise is used for authentication and was setup as follows:
 
    Only return Customer's orders when listing and searching.
    Associate Orders to Customers on creation (using `current_customer`).
-   
+   
+### Add Token Authentication
+
+This section [follows this guide](https://medium.com/@brentkearney/json-web-token-jwt-and-html-logins-with-devise-and-ruby-on-rails-5-9d5e8195193d).
+
+1. Add [`devise-jwt`](https://github.com/waiting-for-dev/devise-jwt) gem
+
+2. Configure Devise and Warden for JWT
+
+    A few things that I don't understand here:
+
+    * What exactly do these changes do and why are they needed?
+
+    * skip_session_storage - what's the purpose of setting this?
+
+    * config.navigational_formats - why does this need to be set? 
+
+3. Configure routes for API login and logout
+
+    Questions:
+
+    * Why is the following code needed inside the api route:
+
+        ```
+        devise_scope :customer do
+            get "login", to: "customers/sessions#new"
+            delete "logout", to: "customers/sessions#destroy"
+        end
+        ```
+
+4. Update the Customer table to add field for jti
+
+   We are using the [JTIMatcher recovation strategy](https://github.com/waiting-for-dev/devise-jwt#revocation-strategies)
+
+   I had to uncomment `class_name: "ApiCustomer",` in `routes.rb` to get this to run, since the model hasn't been setup yet.
+   
+   Update the Customer table using the following migration:
+
+   `rails generate migration AddJTIToCustomers`
+
+   ```
+   #db/migrate/20200517053419_add_jti_to_customers.rb
+   class AddJtiToCustomers < ActiveRecord::Migration[5.2]
+    def change
+        add_column :customers, :jti, :string
+        # populate jti so we can make it not nullable
+        Customer.all.each do |customer|
+        customer.update_column(:jti, SecureRandom.uuid)
+        end
+        change_column_null :customers, :jti, false
+        add_index :customers, :jti, unique: true
+    end
+    end
+    ```
+
+    `rails db:migrate`
+
+5. Update the Customer model to ensure that the jti column is filled out at time of Customer creation
+
+    ```
+    before_create :add_jti
+
+    def add_jti
+        self.jti ||= SecureRandom.uuid
+    end
+    ```
+
+6. Add an ApiCustomer model, as a sub-class of Customer
+
+    ```
+    class ApiCustomer < Customer
+        include Devise::JWT::RevocationStrategies::JTIMatcher
+        devise :jwt_authenticatable, jwt_revocation_strategy: self
+        validates :jti, presence: true
+
+        def generate_jwt
+            JWT.encode({ id: id,
+                        exp: 1.day.from_now.to_i },
+                    Rails.env.devise.jwt.secret_key)
+        end
+    end
+    ```
+
+    Question: why couldn't this have been in the regular Customer model?
+
+7. Configure json requests to use `api_customer` scope for authentication.
+
+    ```
+    # Disable CSRF protection for json calls
+    protect_from_forgery with: :exception, unless: :json_request?
+    protect_from_forgery with: :null_session, if: :json_request?
+    skip_before_action :verify_authenticity_token, if: :json_request?
+    rescue_from ActionController::InvalidAuthenticityToken,
+                with: :invalid_auth_token
+    # Set the current customer so that Devise and other gems that use `current_customer` can work.
+    before_action :set_current_customer, if: :json_request?
+
+    private
+    def json_request?
+        request.format.json?
+    end
+    # Use api_customer Devise scope for JSON access
+    def authenticate_customer!(*args)
+        super and return unless args.blank?
+        json_request? ? authenticate_api_customer! : super
+    end
+
+    def invalid_auth_token
+        respond_to do |format|
+        format.html { redirect_to sign_in_path, 
+                        error: 'Login invalid or expired' }
+        format.json { head 401 }
+        end
+    end
+
+    # So we can use Pundit policies for api_customers
+    def set_current_customer
+        @current_customer ||= warden.authenticate(scope: :api_customer)
+    end
+    ```
+
+    Is this all so that we can have a different set of behaviours for API users (vs. browser users)?
+
+8. Override API SessionsController
+
+    This controller responds with json by default, signs in the user and returns the jwt token. I'm guessing that this sign in process is what allows the token to be used transparently and what allows `current_customer` to be set so other controllers just work?
+
+    ```
+    class Api::SessionsController < Devise::SessionsController
+        # I'm guessing this isn't required since we don't track signed in/signed out status for the API user?
+        skip_before_action :verify_signed_out_user
+        # This sets the default response format to json instead of html
+        respond_to :json
+        # POST /api/login
+        def create
+            unless request.format == :json
+            sign_out # why is this needed?
+            render status: 406,
+                    json: { message: "JSON requests only." } and return
+            end
+            # auth_options should have `scope: :api_customer`
+            resource = warden.authenticate!(auth_options)
+            if resource.blank?
+            render status: 401,
+                    json: { response: "Access denied." } and return
+            end
+            sign_in(resource_name, resource)
+            respond_with resource, location: after_sign_in_path_for(resource) do |format|
+            format.json {
+                render json: { success: true,
+                            jwt: current_token,
+                            response: "Authentication successful" }
+            }
+            end
+        end
+
+        private
+
+        def current_token
+            request.env["warden-jwt_auth.token"]
+        end
+    end
+    ```
+9. Add “new” view in json format
+
+   If this file isn't added, the follow error is generated when attempting to login:
+
+   ```
+   undefined method `api_customers_url' for #<Api::SessionsController:0x00007fb9ded22298> Did you mean? api_customer_session_url
+
+   actionpack (5.2.4.2) lib/action_dispatch/routing/polymorphic_routes.rb:232:in `polymorphic_method'
+   ```
+
+10. Add jwt_key_base to credentials file
+    
+    Generate the key with `rake secret`
+
+    Run `rails credentials:edit`
+
+    Add the generated key as `jwt_key_base`.

app/controllers/api/sessions_controller.rb

@@ -0,0 +1,34 @@
+class Api::SessionsController < Devise::SessionsController
+  # I'm guessing this isn't required since we don't track signed in/signed out status for the API user?
+  skip_before_action :verify_signed_out_user
+  # This sets the default response format to json instead of html
+  respond_to :json
+  # POST /api/login
+  def create
+    unless request.format == :json
+      sign_out # why is this needed?
+      render status: 406,
+             json: { message: "JSON requests only." } and return
+    end
+    # auth_options should have `scope: :api_customer`
+    resource = warden.authenticate!(auth_options)
+    if resource.blank?
+      render status: 401,
+             json: { response: "Access denied." } and return
+    end
+    sign_in(resource_name, resource)
+    respond_with resource, location: after_sign_in_path_for(resource) do |format|
+      format.json {
+        render json: { success: true,
+                       jwt: current_token,
+                       response: "Authentication successful" }
+      }
+    end
+  end
+
+  private
+
+  def current_token
+    request.env["warden-jwt_auth.token"]
+  end
+end

app/controllers/application_controller.rb

@@ -1,5 +1,39 @@
 class ApplicationController < ActionController::Base
+  protect_from_forgery with: :exception, unless: :json_request?
+  protect_from_forgery with: :null_session, if: :json_request?
+  skip_before_action :verify_authenticity_token, if: :json_request?
+  rescue_from ActionController::InvalidAuthenticityToken,
+              with: :invalid_auth_token
+  before_action :set_current_customer, if: :json_request?
+
   def after_sign_in_path_for(resource)
     stored_location_for(resource) || orders_path
   end
+
+  private
+
+  def json_request?
+    request.format.json?
+  end
+
+  # Use api_customer Devise scope for JSON access
+  def authenticate_customer!(*args)
+    super and return unless args.blank?
+    json_request? ? authenticate_api_customer! : super
+  end
+
+  def invalid_auth_token
+    respond_to do |format|
+      format.html {
+        redirect_to sign_in_path,
+          error: "Login invalid or expired"
+      }
+      format.json { head 401 }
+    end
+  end
+
+  # So we can use Pundit policies for api_customers
+  def set_current_customer
+    @current_customer ||= warden.authenticate(scope: :api_customer)
+  end
 end

app/models/api_customer.rb

@@ -0,0 +1,11 @@
+class ApiCustomer < Customer
+  include Devise::JWT::RevocationStrategies::JTIMatcher
+  devise :jwt_authenticatable, jwt_revocation_strategy: self
+  validates :jti, presence: true
+
+  def generate_jwt
+    JWT.encode({ id: id,
+                 exp: 1.day.from_now.to_i },
+               Rails.env.devise.jwt.secret_key)
+  end
+end

app/models/customer.rb

@@ -5,4 +5,9 @@ class Customer < ApplicationRecord
          :recoverable, :rememberable, :validatable
 
   has_many :orders
+  before_create :add_jti
+
+  def add_jti
+    self.jti ||= SecureRandom.uuid
+  end
 end

app/views/devise/sessions/new.json

@@ -1 +1 @@
-q7NI51Rvs8SkUC2eIuGLombFLD/RMeq7fEHLQ6X7oHwRTlCuGrExrnNBaINzcJYXW+SdOgdqBDPrFKuOZGMya3mZW7/k8th2wYmUQgqyDafMN2yGYl1Ss58LxKjwE4Vi5ZfEshUNuTST7F9mgFENBnGBF4Q1dD3nQiMbv+h1x0d64XeHSrIiCCvp8EO94WJrBM4x7Jv6U5mHROLeDWVOOQlb+cV1ykM0NVIBm/VEV/prQ/GKWY/9iDvfPwISS3SKb57STSOQ48hrHsG4gwILh3ALdOTd4IISv0b/FnifHwKQt0EPi4PRXVLXCtMCsxZpxLLNT0ZciiwLmCyvk9j5g2SIwf3irHHz/Ry9rOzedpnTecuFIuuVZ5Qne/FaoNWD/5kcTuqapyDiNpWLDtHtph4fZR79gZR72DW7--Mpmw1UCr7shP2BZc--Vs7kJ8FS34x2HLyWIOZJwQ==
+T/rPArLPifpyj9Jumylrxl8xEXYhL0ag510hH3UDn2DIad+0CI7b8/IIVNhfvrizjwgjGvJpd4O5Oa/NPA4HVx5J0tsl407DT6tR/DU21NwvblHlgg0qtK67pxunpyYN0NTS5upAWa7vEudgljE5uN1a6il0HThyCoFByoE1JEgV8sfgTOydfBntXLRnZIka3nVITwVeM3BPCjcO0qKPnAYg40yJikuImUWJQVcNHcD3KAZVsAE/ozREb3wLhv4ixgz/5Fn0F6oAJjAHut1IZTXXQy35zkBa62rRCZ/cKZWFXooXbP8I4IzQcOvi3ThTylPfiD/DFmI35f0qsLsUI9cM9AyxG4HFfPTB3xg9tAF8KlrX6uNJxpo/IheLD3C3PnE1o84E71ru/y5dtNZ6OcRsyRlPHZMqETqtTy0QoE4dMVkpGnvTQRUbAGVYJJoARXsTBHRgJZtHNpZIhoBViE5DZLVa2wQVLHzw8gMjVgYN2Wb9Qpi275eoDXJ8dgG5i0gujLPr/v0e91LMqjf0lfFey5NrP1JbO1jxljSA714byTkk7KjpVMFWD3+yUOwj9sn50ddx3kO3pbgTIoMz4Vm4NEna--LuHbZh359xnHArEt--MOPUGr81ytYCmtppA8x9gg==

config/credentials.yml.enc

@@ -18,7 +18,7 @@
   # Configure the e-mail address which will be shown in Devise::Mailer,
   # note that it will be overwritten if you use your own mailer class
   # with default "from" parameter.
-  config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com'
+  config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
 
   # Configure the class responsible to send e-mails.
   # config.mailer = 'Devise::Mailer'
@@ -30,7 +30,7 @@
   # Load and configure the ORM. Supports :active_record (default) and
   # :mongoid (bson_ext recommended) by default. Other ORMs may be
   # available as additional gems.
-  require 'devise/orm/active_record'
+  require "devise/orm/active_record"
 
   # ==> Configuration for any authentication mechanism
   # Configure which keys are used when authenticating a user. The default is
@@ -296,4 +296,20 @@
   # When set to false, does not sign a user in automatically after their password is
   # changed. Defaults to true, so a user is signed in automatically after changing a password.
   # config.sign_in_after_change_password = true
+  config.jwt do |jwt|
+    jwt.secret = Rails.application.credentials.jwt_key_base
+    jwt.dispatch_requests = [
+      ["POST", %r{^/api/login$}],
+      ["POST", %r{^/api/login.json$}],
+    ]
+    jwt.revocation_requests = [
+      ["DELETE", %r{^/api/logout$}],
+      ["DELETE", %r{^/api/logout.json$}],
+    ]
+    jwt.expiration_time = 1.day.to_i
+    jwt.request_formats = { api_customer: [:json] }
+  end
+
+  config.skip_session_storage = [:http_auth]
+  config.navigational_formats = ["*/*", :html, :json]
 end