Rails Auth Part 3

Adam Chernitsky
4 min readMar 30, 2020

In my last blog we talked about building a login method and testing it in Postman. In this blog we are going to discuss how to protect your other resources and how to make it so that only a valid logged in user can create things.

To start we are going to create our actual class that this app is supposed to be about, in my case I chose a tiger app. To start out create you model, controller, and migration file. Also we are going to give this class references to users, which means that it belongs to users. Here’s the command:

Once you’ve run this command run your new migration file as well:

Now that we have our new class we can start setting everything up. To start go to your routes.rb file and add the create method and the index method to your tiger route. This will be the final change in this file unless you have other classes you are going to add, once finished it should look like so:

Now you need a create method in your tiger controller, but since the goal is to prevent this method from being used by someone who isn’t a user we have to add authorization to this method:

Now if you’re not logged in and you don’t have a token you will not be able to create a tiger. How ever you will still have the index method so you can view tigers.

To test this all out go to Postman and test you tiger create and index methods out with and without a token like so:

To start out make a post to your localhost:3000/login route to sign in and in turn you should receive a token:

Copy your token, but leave out the quotation marks. Next you’ll go to the auth tab in your postman and select Bearer Token for type. You’ll also copy in your token and hit preview request:

After you hit preview request you can see something new in your Headers tab:

Now you have a new temporary header that holds your token. Now that your logged in try and create something:

Now go to you Auth tab and remove your token and try to create the same tiger again:

Now you have a protected resource, however if you wanted to protect another method it would quickly get tiresome typing all of the auth code for every method that we want to require authorization for, to clean this up and abstract out some code we can move our method into the application folder. Notice how in you tiger controller at the top that it inherits the application controller:

Since this is the case we can refactor our code and put all of the authorization stuff from our create method out. We can then put it in a method in our application controller and call it in our tiger controller as a before action. To do this we need to build a method in our application controller:

Now that we have this method we will call it in our Tiger controller and we will also make some changes to our create method in the tiger controller:

Now that we call our authenticate method as a before action in this file, before any method is called the user will be authenticated first if the method is included in the before action as the create method has been in this case. Next you can go test this in Postman the same way we did it before to make sure everything still works the same, and in doing so you have now officially finished implementing auth into your app.