RoR JWT Encryption from Scratch
Enhance your API security by including a custom encryption library
Authentication when working with CORS always presents an interesting challenge. In a normal (i.e. non-API) Rails app, we “log in” a user by storing their unique user ID in the session store. This means that authentication information is stored on the server-side, in the session hash. In other words, our server becomes stateful, keeping track of whether or not a user is "logged in", and who that user is.
What happens in a Rails API, then, when the client is divorced from the server? Well, we’ll need to tell the client, i.e. our Ember app, to store some kind of unique identifier and send that unique identifier to the Rails API with every request. Rails can then use the unique identifier, or token, to identify the user making the request.
This is the basic model of Ember Simple Auth. With the Ember Simple Auth add-on, we can authorize our user like this:
- User “logs in” in via the browser and Ember grabs the user’s email and password and sends them to Rails, requesting authentication.
- Rails look up the user. If the user can be authenticated, Rails sends that user’s unique token back to Ember.
- Ember stores that token in the session store, and sends it back to…
