Christopher Thornton cthornton
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Creates an interface to safely expose internal methods and variables to be used by some sort of templating system. | |
| # | |
| # Say for example, we want to send users an email when they register, and we want companies to be able to modify how | |
| # the messages appear to their end users. One solution is to allow evaling in the email templates: | |
| # | |
| # ``` | |
| # Hello #{@user.fullname}! Welcome to the application! ... | |
| # ``` | |
| # | |
| # This is clearly a security risk as it allows users to enter malicious code. Another solution can be to just gsub |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Make new user on a new system | |
| useradd --create-home --shell /bin/bash \ | |
| --groups sudo \ | |
| christopher |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| auth_header = JWT.encode({ | |
| user_id: 123, | |
| iat: Time.now.to_i, # Specify the time the token was issued | |
| exp: Time.now.to_i + 2 # Expire the token in 2 seconds | |
| }, "<my shared secret>") | |
| RestClient.get("http://api.example.com/", authorization: auth_header) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class ApiController < ActionController::Base | |
| attr_reader :current_user | |
| before_action :set_current_user_from_jwt_token | |
| def set_current_user_from_jwt_token | |
| # Step 1: decode the JWT and get the user ID without checking | |
| # the signature. Note JWT tokens are *not* encrypted, but signed. | |
| payload = JWT.decode(request.authorization, nil, false) | |
| # Step 2: See if the user exists in the database |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| auth_header = JWT.encode({ | |
| user_id: 123, | |
| jti: rand(2 << 64).to_s, # One-time use token | |
| iat: Time.now.to_i, # Specify the time the token was issued. | |
| exp: Time.now.to_i + 2 # Expire the token in 2 seconds | |
| }, "<my shared secret>") | |
| RestClient.get("http://api.example.com/", authorization: auth_header) |
cthornton
/ jwt_authentication_2.rb
Created
July 3, 2014 03:38
Authentication with JWT and Redis (More Secure)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def set_current_user_from_jwt_token | |
| # Verification steps from the previous example | |
| payload = JWT.decode(request.authorization, nil, false) | |
| @current_user = User.find(payload['user_id']) | |
| JWT.decode(request.authorization, current_user.api_secret) | |
| now = Time.now.to_i | |
| if payload['iat'] > now || payload['exp'] < now | |
| # Render a 401 and do not continue | |
| end | |
cthornton
/ sample_posts_controller_1.rb
Created
July 3, 2014 03:49
Dry your JSON API - What it probably looks like
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class PostsController < ActionController::Base | |
| def index | |
| @user = User.find_by(api_key: request.authorization) | |
| if !@user | |
| return render json: {error: 'invalid api key'}, status: :unauthorized | |
| end | |
| @posts = @user.posts | |
| # ... render JSON | |
| end | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class ApiController < ActionController::Base | |
| attr_reader :current_user | |
| before_action :find_current_user | |
| protected | |
| def find_current_user | |
| @current_user = User.find_by(api_key: request.authorization) | |
| unless @current_user | |
| render json: { error: 'Cannot find user by API key' }, status: :unauthorized |
cthornton
/ sample_posts_controller_2.rb
Last active
August 29, 2015 14:03
Blog: Inheriting From Posts Controller
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class PostsController < ApiController | |
| def index | |
| @posts = current_user.posts | |
| render json: @posts.to_json | |
| end | |
| end |
cthornton
/ sample_posts_controller_3.rb
Created
July 3, 2014 03:52
Blog: sample posts controller with to_json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class PostsController < ApiController | |
| def index | |
| @posts = current_user.posts | |
| render json: @posts.to_json(only: [:id, :title, :description]}) | |
| end | |
| end |
OlderNewer