Logo

dev-resources.site

for different kinds of informations.

Generate magic tokens in Rails with generates_token_for

Published at
4/28/2024
Categories
rails
auth
ruby
webdev
Author
intrepidd
Categories
4 categories in total
rails
open
auth
open
ruby
open
webdev
open
Author
9 person written this
intrepidd
open
Generate magic tokens in Rails with generates_token_for

For a long time, and probably still today, the reference for authentication in Rails is using a gem like Devise.

Thing is, you'll probably end up customizing it a lot: views, emails, onboarding flow, etc.
Since Rails 7.1, we have access to several new features that make it easier to implement authentication with minimal extra code, making it a viable option for many projects.

One of these features is generates_token_for, which allows you to generate non-persisted tokens for your models, allowing you to implement features such as passwordless auth, password reset, email confirmation, and more.

When I stumbled upon this feature, my first thought was: That's magic.

In this post, We'll see how to use generates_token_for to generate magic tokens in Rails, then we'll dive into the code to understand how it works.

How to use generates_token_for

Here's a basic example of how to use generates_token_for in your Rails models:

class User < ApplicationRecord
  generates_token_for :account_activation
end

user = User.find(42)
token = user.generate_token_for(:account_activation) # => "sometoken===--somesignature"

User.find_by_token_for(:account_activation, token) # => #<User id: 42, ...>
Enter fullscreen mode Exit fullscreen mode

Once we declare that we want to generate a token for :account_activation, we can call generate_token_for to generate a token and find_by_token_for to find a user from a given token.

This token is not persisted anywhere, it just contains the user id and a signature to verify its authenticity, making it a very convenient way to implement features that require a token.

Expiration

Token expiration is also supported, you can pass a expires_in option to generates_token_for to set the expiration time :

class User < ApplicationRecord
  generates_token_for :account_activation, expires_in: 1.day
end
Enter fullscreen mode Exit fullscreen mode

If you try to find a user by an expired token, it will return nil.

Invalidating the token when something changes

generates_token_for supports making the token dependant on an arbitrary block of code, allowing to implement features like password reset tokens that are invalidated when the password changes:

class User < ApplicationRecord
  generates_token_for :password_reset, expires_in: 1.day do
    password_salt&.last(10)
  end
end
Enter fullscreen mode Exit fullscreen mode

In this example, the token is dependent on the last 10 characters of the password salt.
The generated token will contain the content of the block, this is why it should be deterministic and not contain any sensitive information, and why we use the last 10 characters of the password salt in this example instead of the password hash directly.

When trying to find a user by a token, the block will be called again and compared to the value in the token, if they don't match, the token is considered invalid.

This is very powerful and allows to implement complex token invalidation logic with minimal code, you can make tokens dependent on values, state, timestamps, etc.

How it works

Let's have a look at the code to understand how generates_token_for works. Here's a portion of the ActiveRecord::TokenFor module that is included in our active record classes :

# activerecord/lib/active_record/token_for.rb

included do
  class_attribute :token_definitions, instance_accessor: false, instance_predicate: false, default: {}
end

# ...

def generates_token_for(purpose, expires_in: nil, &block)
  self.token_definitions = token_definitions.merge(purpose => TokenDefinition.new(self, purpose, expires_in, block))
end
Enter fullscreen mode Exit fullscreen mode

We see that a token_definitions hash is defined, and that generates_token_for is just a method that adds a TokenDefinition to it.

The TokenDefinition is a class defined in the same file, through a Struct :

# activerecord/lib/active_record/token_for.rb

TokenDefinition = Struct.new(:defining_class, :purpose, :expires_in, :block) do # :nodoc:
  # Some methods we'll see right after
end
Enter fullscreen mode Exit fullscreen mode

It's basically a class that accepts params such as defining_class purpose, expires_in and block, with some methods used to do the token generation and verification.

Before diving in, let's have a quick look at the generate_token_for method used on an instance of a model :

# activerecord/lib/active_record/token_for.rb

def generate_token_for(purpose)
  self.class.token_definitions.fetch(purpose).generate_token(self)
end
Enter fullscreen mode Exit fullscreen mode

Pretty straight forward, we're looking for the token definition for the good purpose, and calling generate_token on it.

# activerecord/lib/active_record/token_for.rb

def full_purpose
  @full_purpose ||= [defining_class.name, purpose, expires_in].join("\n")
end

def payload_for(model)
  block ? [model.id, model.instance_eval(&block).as_json] : [model.id]
end

def generate_token(model)
  message_verifier.generate(payload_for(model), expires_in: expires_in, purpose: full_purpose)
end
Enter fullscreen mode Exit fullscreen mode

We use the rails MessageVerifier, that can generate and verify signed messages, based on a secret key. It's also used in other features such as CSRF token validation.

We'll use it to generate our token, based on a payload consisting either only of the model id if no block was passed, or the id along the content of the block if one was passed.

The generated string will look like this :

eyJfcmFpbHMiOnsiZGF0YSI6WzQyXSwicHVyIjoiVXNlclxuc2Vzc2lvblxuIn19--7db5fb8690104cec00ec6443353c2362760e7078

The first part is the actual data, in Base64, and the second is the signature.

If we decode the first part, we obtain this :

{"_rails":{"data":[42],"pur":"User\nsession\n"}}
Enter fullscreen mode Exit fullscreen mode

And here is another example for a token using expiration and a block :

{"_rails":{"data":[42,"93LHs7.oVu"],"exp":"2024-04-28T16:44:03.463Z","pur":"User\npassword_reset\n3600"}}
Enter fullscreen mode Exit fullscreen mode

Basically, a token is just a big JSON object containing our purpose, our model id, and optionally the expiration time and arbitrary block value.

Now, the last part to inspect is the find_by_token_for method used on a model class to retrieve a record from a token :

def find_by_token_for(purpose, token)
  raise UnknownPrimaryKey.new(self) unless primary_key
  token_definitions.fetch(purpose).resolve_token(token) { |id| find_by(primary_key => id) }
end
Enter fullscreen mode Exit fullscreen mode

and the resolve_token method on the TokenDefinition:

 def resolve_token(token)
  payload = message_verifier.verified(token, purpose: full_purpose)
  model = yield(payload[0]) if payload
  model if model && payload_for(model) == payload
end
Enter fullscreen mode Exit fullscreen mode

We use the message verifier to decode the token and ensure it was generated by our rails app, this is all done inside the MessageVerifier, this will return nil if the data is invalid, not verified, or expired.

We find the model by its primary key (through yielding its id to the calling method)

Then, we recompute the payload, and compare it with the one we got from the token, if it matches, the model is returned, otherwise nil. Not so magic after all.

Conclusion

As always, reading through the code can help us broader our understanding of a feature, and understand any possible gotchas.

Features such as generates_token_for are great tools to implement strong authentication features in a Rails app, making it possible to drop big dependencies and stay pretty vanilla, with minimal extra code.

auth Article's
30 articles in total
Favicon
Wait, are we just handing over system access to the AI agents?
Favicon
Implementing Auth in .NET WebApi & SPAs: Why is it still so painful?
Favicon
Secure Your Nuxt 3 App
Favicon
Managing Auth State in react using useContext API
Favicon
How to Authenticate Users Codeigniter Shield
Favicon
How to decode a JWT
Favicon
Laravel 11 API Rest Auth with jwt-auth
Favicon
Announcement - Keycloak.AuthServices v2.0.0 is out 🎉!
Favicon
Generate magic tokens in Rails with generates_token_for
Favicon
Your organization has enabled or enforced SAML SSO ... you must re-authorize the OAuth Application `GitHub for VS Code`
Favicon
JWT Revokation
Favicon
Recent Security Vulnerability Detected in Clerk - Should You Roll Your Own Auth?
Favicon
User Management Unveiled: An Architectural Overview
Favicon
Compressing and Decompressing User Permissions with JavaScript
Favicon
Clerk Webhooks: Data Sync with Convex
Favicon
Simplifying Client-Side Authentication with Firebase and SvelteKit
Favicon
I Just Want Authentication To Work
Favicon
Setup User Auth for your Reflex app using local_auth
Favicon
How to Implement Passkey Authentication and Fine-Grained Authorization in JavaScript
Favicon
Authentication Workflows Overview
Favicon
Securing MQTT: A Guide to Basic Authentication
Favicon
Shopify Passkey Implementation Analyzed
Favicon
Apa itu Autentikasi: Definisi dan Jenis-jenis Autentikasi
Favicon
Best Practices for Authorization in Microservices
Favicon
Granular Permission Management with CASL Library
Favicon
Multi Auth System in Laravel Breeze #1
Favicon
Simplifying Authentication Integration For Developers With Authgear SDKs
Favicon
API Authentication Methods - Pros and Cons
Favicon
Authentication vs. Authorization
Favicon
Twitter API suspended? Here's how to fix it

Featured ones: