Tinytokenauth::Rails

This gem wants to help you with user authentication without bloating up beyond what is required. It uses a JWT (JSON Web Token) in a cookie to store session state in the browser.

Since the JWT is signed with a secret, and this signature is verified server-side, the user can't tamper with its contents. Its content is not encrypted, so frontend libraries can use this information if they need to distinguish between 'signed in' vs 'signed out' state.

Install the gem and add to the application's Gemfile by executing:

$ bundle add tinytokenauth-rails

If bundler is not being used to manage dependencies, install the gem by executing:

$ gem install tinytokenauth-rails

Include the module Tinytokenauth::Authorizable wherever you need to sign a user in/out or want to know if a user is signed in or not. One option is to do this in ApplicationController, so the useful methods from this gem are available everywhere

# app/controller/application_controller.rb
class ApplicationController < ActionController::Base
  include Tinytokenauth::Authorizable
  before_action :set_current_user
end

You will then have the user set in the variable @current_user or this will be nil if no user is signed in.

If a signed in user is required for some action, you can use the following pattern, the content of the block after require_current_user is an example and depends on your project

class PostsController < ApplicationController
  before_action ->{ require_current_user do
    # new_session_path is a route you need to setup same for the controller
    redirect_to new_session_path(forward_to: request.path), notice: "Please sign in again"
  end }, only: [:new, :create]
  # ...
end

User authentication need to be managed by yourself, afterwards you can leverage the helper method to sign the user in with the token

Below is an example how you can handle this yourself

class SessionsController < ApplicationController
  
  def new
  end

  def create
    user = User.find_by_email(params[:email]) # This depends on your use case
    if user&.authenticate(params[:password]) # This depends on your use case, this method comes from 'has_secure_password' in the model
      sign_in_with_token user # THIS IS FROM Tinytokenauth
      redirect_to params[:forward_to] || root_path, notice: 'Signed in!'
    else
      flash[:alert] = 'NOT signed in!'
      render 'new', status: :unauthorized
    end
  end

  def destroy
    sign_out_with_token # THIS IS FROM Tinytokenauth
    redirect_to params[:forward_to] || root_path, notice: 'Signed out!'
  end
end

If you want to configure the gem, please create a custom initializer like the one below. The values show below are the defaults

# config/initializers/tinytokenauth.rb
require 'tinytokenauth'

Tinytokenauth.configure do |config|
  config.user_class = 'User' #  what is your modal that needs to be checked for a signed in user?
  config.token_validity_hours = 24 # how long should a token be valid?
  config.token_secret = Rails.application.credentials.secret_key_base # with which secret is the JWT signed?
  config.token_auto_renew_hours = 4 # if the token expires in less than X hours, renew it automatically
  config.cookie_name = 'ttauth' # what should be the name of the cookie that stores the auth information
end

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and the created tag, and push the .gem file to rubygems.org.

Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/tinytokenauth-rails.

The gem is available as open source under the terms of the MIT License.