0
0
Ruby on Railsframework~10 mins

Token-based authentication in Ruby on Rails - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - Token-based authentication
User sends login request
Server verifies credentials
Generate token
Send token to user
User sends requests with token
Server verifies token
Yes No
Allow access
This flow shows how a user logs in, receives a token, and uses it for future requests which the server verifies.
Execution Sample
Ruby on Rails
class ApplicationController < ActionController::API
  before_action :authenticate_user!

  def authenticate_user!
    token = request.headers['Authorization']&.split(' ')&.last
    user = User.find_by(authentication_token: token)
    render json: { error: 'Unauthorized' }, status: :unauthorized unless user
  end
end
This code checks the Authorization header for a token, finds the user, and rejects unauthorized requests.
Execution Table
StepActionInputToken ExtractedUser FoundResult
1Receive requestAuthorization: Bearer abc123abc123User with token abc123Proceed
2Verify tokenabc123abc123User foundAuthorized
3Receive requestAuthorization: Bearer invalidinvalidNo user foundReject with 401
4Verify tokeninvalidinvalidNo userUnauthorized response sent
💡 Execution stops when token is invalid or user not found, returning unauthorized response.
Variable Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4
tokennilabc123abc123invalidinvalid
usernilUser objectUser objectnilnil
resultnilProceedAuthorizedRejectUnauthorized
Key Moments - 2 Insights
Why does the server reject the request when the token is missing or invalid?
Because in the execution_table rows 3 and 4, no user is found for the token, so the server returns an unauthorized response to protect resources.
How does the server extract the token from the Authorization header?
The server splits the header string by space and takes the last part as the token, as shown in the 'Token Extracted' column in the execution_table.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the token extracted at Step 1?
Ainvalid
Babc123
CBearer
Dnil
💡 Hint
Check the 'Token Extracted' column for Step 1 in the execution_table.
At which step does the server reject the request due to invalid token?
AStep 4
BStep 2
CStep 3
DStep 1
💡 Hint
Look at the 'Result' column where the response is 'Unauthorized response sent'.
If the token was missing from the header, how would the 'token' variable change in variable_tracker?
AIt would be 'Bearer'
BIt would be an empty string
CIt would be nil at all steps
DIt would be 'invalid'
💡 Hint
Refer to how 'token' is extracted from the header in the code and variable_tracker start value.
Concept Snapshot
Token-based authentication in Rails:
- User logs in and receives a token.
- Token sent in Authorization header as 'Bearer <token>'.
- Server extracts token, finds user by token.
- If user found, request allowed; else rejected with 401.
- Protects API endpoints without sessions or cookies.
Full Transcript
Token-based authentication in Rails works by the user sending a login request. The server checks the credentials and if valid, generates a token and sends it back. The user includes this token in the Authorization header for future requests. The server extracts the token from the header, looks up the user by this token, and if found, allows access. If the token is missing or invalid, the server rejects the request with an unauthorized error. This method avoids using sessions and cookies, making it suitable for APIs.