Consider this Rails API controller action that uses token-based authentication. What will be the JSON response if the token is valid?
class Api::V1::ProfilesController < ApplicationController before_action :authenticate_user! def show render json: { email: current_user.email, name: current_user.name } end private def authenticate_user! token = request.headers['Authorization']&.split(' ')&.last user = User.find_by(authentication_token: token) if user @current_user = user else render json: { error: 'Unauthorized' }, status: :unauthorized end end def current_user @current_user end end
Think about what happens when the token matches a user in the database.
If the token matches a user, the authenticate_user! method sets @current_user. Then the show action returns the user's email and name as JSON.
You want to add a method in your Rails User model that generates a unique authentication token. Which code snippet is syntactically correct and secure?
class User < ApplicationRecord before_create :generate_authentication_token private def generate_authentication_token # Which option is correct here? end end
Remember to assign to the attribute with self. inside instance methods.
Inside instance methods, to set an attribute you must use self.attribute = value. SecureRandom.hex(20) generates a secure 40-character hex string. Other options either miss self. or use incorrect methods.
current_user after this request with an invalid token?Given this controller snippet, what will current_user be if the token is invalid?
class Api::V1::SessionsController < ApplicationController before_action :authenticate_user! def index render json: { user: current_user&.email } end private def authenticate_user! token = request.headers['Authorization']&.split(' ')&.last user = User.find_by(authentication_token: token) if user @current_user = user else render json: { error: 'Unauthorized' }, status: :unauthorized end end def current_user @current_user end end
What happens if the token does not match any user?
If the token is invalid, @current_user is never set, so current_user returns nil.
Examine this code snippet. It should authenticate users by token but always returns 'Unauthorized'. What is the bug?
def authenticate_user! token = request.headers['Authorization']&.split(' ')&.last user = User.find_by(authentication_token: token) if user.nil? render json: { error: 'Unauthorized' }, status: :unauthorized else @current_user = user end end
Check how the token string is extracted and used.
If the token string includes extra spaces or newline characters, find_by will not find the user. Stripping whitespace from the token fixes this.
Choose the most accurate explanation of why token-based authentication is preferred for APIs compared to traditional session-based authentication.
Think about how APIs handle user state and scalability.
Token-based authentication stores tokens on the client and sends them with each request, so the server does not need to keep session state. This makes APIs stateless and easier to scale. Other options are incorrect or insecure.