Merge pull request #14 from tuanle03/clr-10-create-api-session

tuanle03 · web-flow · commit 6351c3b0ab87 · 2023-12-19T00:35:01.000+07:00
[CLR-10] Create Sessions API
diff --git a/Gemfile b/Gemfile
@@ -54,6 +54,8 @@ gem 'grape-swagger'
 
 gem 'grape_logging'
 
+gem 'faker'
+
 # Use Sass to process CSS
 # gem "sassc-rails"
 
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -127,6 +127,8 @@ GEM
     factory_bot_rails (6.4.2)
       factory_bot (~> 6.4)
       railties (>= 5.0.0)
+    faker (3.2.2)
+      i18n (>= 1.8.11, < 2)
     globalid (1.2.1)
       activesupport (>= 6.1)
     grape (2.0.0)
@@ -315,6 +317,7 @@ DEPENDENCIES
   devise
   devise-jwt
   factory_bot_rails
+  faker
   grape
   grape-swagger
   grape_logging
diff --git a/app/api/application_api.rb b/app/api/application_api.rb
@@ -4,21 +4,14 @@
 require 'grape-swagger'
 require 'grape_logging'
 
-# Grape::Validations.register_validator('length', Validators::LengthValidator)
-# Grape::Validations.register_validator('numeric', Validators::NumericValidator)
-# Grape::Validations.register_validator('gte_date', Validators::GteDateValidator)
-
-# All the API module are defined in this file.
 class ApplicationAPI < Grape::API
   format :json
-  # error_formatter :json
-  # formatter :json, JsonFormatter
-  # default_error_formatter :json
 
   helpers ::Helpers::AuthenticationHelper
-
-  before do
-    process_token
+  helpers do
+    def unauthorized_error!
+      error!('Unauthorized', 401)
+    end
   end
 
   rescue_from Grape::Exceptions::ValidationErrors do |e|
diff --git a/app/api/helpers/authentication_helper.rb b/app/api/helpers/authentication_helper.rb
@@ -1,24 +1,18 @@
 module Helpers::AuthenticationHelper
   extend Grape::API::Helpers
 
-  def process_token
-    return unless request.headers['Authorization']
-
-    payload = JWT.decode(request.headers['Authorization'].split(' ')[1], Rails.application.credentials.devise_jwt_secret_key).first
-    @current_user_id = payload['user_id']
-  rescue JWT::ExpiredSignature, JWT::VerificationError, JWT::DecodeError
-    head :unauthorized
-  end
-
-  def authenticate_user!(options = {})
-    head :unauthorized unless signed_in?
+  def authenticate_user!
+    error!('Unauthorized. Invalid or expired token.', 401) unless current_user
   end
 
   def current_user
-    @current_user ||= super || User.find(@current_user_id)
+    @current_user ||=
+      begin
+        token = request.headers['Authorization'].split(' ').last
+        User.find_by(id: JWT.decode(token, Rails.application.credentials.devise_jwt_secret_key)[0]['user_id']) if token
+      rescue JWT::DecodeError
+        nil
+      end
   end
 
-  def signed_in?
-    @current_user_id.present?
-  end
 end
diff --git a/app/api/web/feedbacks_api.rb b/app/api/web/feedbacks_api.rb
@@ -4,12 +4,14 @@ class Web::FeedbacksAPI < Grape::API
       desc 'Create feedback'
       params do
         requires :content, type: String
-        requires :user_id, type: Integer
+        requires :post_id, type: Integer
       end
       post do
+        authenticate_user!
         Feedback.create!({
           content: params[:content],
-          user_id: params[:user_id]
+          user_id: current_user.id,
+          post_id: params[:post_id]
         })
       end
 
diff --git a/app/api/web/sessions_api.rb b/app/api/web/sessions_api.rb
@@ -0,0 +1,39 @@
+module API
+  class Web::SessionsAPI < Grape::API
+    namespace :session do
+      desc 'Sign in and retrieve JWT token'
+      params do
+        requires :email, type: String, desc: 'User email'
+        requires :password, type: String, desc: 'User password'
+      end
+      post 'sign_in' do
+        user = User.find_for_database_authentication(email: params[:email])
+        if user && user.valid_password?(params[:password])
+          token = user.generate_jwt
+          status 200
+          {
+            success: true,
+            token: token,
+          }
+        else
+          status 401
+          {
+            success: false,
+            message: 'Invalid email or password',
+          }
+        end
+      end
+
+      desc 'Sign out and revoke JWT token'
+      delete 'sign_out' do
+        authenticate_user!
+        current_user.revoke_jwt(request.headers['Authorization'])
+        status 200
+        {
+          success: true,
+          message: 'Signed out successfully',
+        }
+      end
+    end
+  end
+end
diff --git a/app/api/web_api.rb b/app/api/web_api.rb
@@ -1,6 +1,11 @@
 class WebAPI < Grape::API
+  format :json
+  prefix 'web'
+
+  helpers ::Helpers::AuthenticationHelper
 
   mount Web::FeedbacksAPI
+  mount Web::SessionsAPI
 
   add_swagger_documentation(
     format: :json,
diff --git a/app/models/allowlisted_jwt.rb b/app/models/allowlisted_jwt.rb
@@ -0,0 +1,2 @@
+class AllowlistedJwt < ApplicationRecord
+end
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -1,12 +1,29 @@
 class User < ApplicationRecord
-  # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
+  include Devise::JWT::RevocationStrategies::Allowlist
+
+  serialize :revoked_tokens, Array
+
   devise :database_authenticatable, :registerable,
     :recoverable, :rememberable, :validatable,
-    :jwt_authenticatable, jwt_revocation_strategy: Devise::JWT::RevocationStrategies::Null
+    :jwt_authenticatable, jwt_revocation_strategy: self
 
   def generate_jwt
     payload = { user_id: id, exp: 1.day.from_now.to_i }
     JWT.encode(payload, Rails.application.credentials.devise_jwt_secret_key)
   end
+
+  def decode_jwt(token)
+    JWT.decode(token, Rails.application.credentials.devise_jwt_secret_key)
+  end
+
+  def revoke_jwt(token)
+    self.revoked_tokens ||= []
+    self.revoked_tokens << token
+    self.revoked_tokens.uniq!
+    save
+  end
+
+  def jwt_revoked?(token)
+    revoked_tokens.include?(token)
+  end
 end
diff --git a/app/services/user_registration_with_email_service.rb b/app/services/user_registration_with_email_service.rb
@@ -0,0 +1,17 @@
+class UserRegistrationWithEmailService
+  attr_reader :email, :token
+
+  def initialize(email)
+    @email = email
+  end
+
+  def register
+    user = User.find_or_initialize_by email: email
+    if user.save
+      @token, payload = Warden::JWTAuth::UserEncoder.new.call(user, :user, nil)
+      user.on_jwt_dispatch(@token, payload)
+    end
+
+    user
+  end
+end
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -18,9 +18,7 @@
 
   config.jwt do |jwt|
     jwt.secret = Rails.application.credentials.devise_jwt_secret_key!
-    jwt.dispatch_requests = [
-      ['POST', %r{^/api/login$}] # Thay đổi đường dẫn và phương thức HTTP tương ứng với API của bạn
-    ]
+    # jwt.dispatch_requests = [['POST', %r{^/web/auth/sign_in$}]]
     jwt.expiration_time = 1.day.to_i
   end
 
diff --git a/config/routes.rb b/config/routes.rb
@@ -4,5 +4,5 @@
 
   # Defines the root path route ("/")
   # root "articles#index"
-  mount ApplicationAPI => '/'
+  mount ApplicationAPI => '/api'
 end
diff --git a/db/migrate/20231217024617_create_allowlisted_jwts.rb b/db/migrate/20231217024617_create_allowlisted_jwts.rb
@@ -0,0 +1,14 @@
+class CreateAllowlistedJwts < ActiveRecord::Migration[7.0]
+  def change
+    create_table :allowlisted_jwts do |t|
+      t.string :jti, null: false
+      t.string :aud
+      t.datetime :exp, null: false
+      t.references :user, foreign_key: { on_delete: :cascade }, null: false
+
+      t.timestamps
+    end
+
+    add_index :allowlisted_jwts, :jti, unique: true
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
@@ -10,7 +10,18 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.0].define(version: 2023_12_16_133434) do
+ActiveRecord::Schema[7.0].define(version: 2023_12_17_024617) do
+  create_table "allowlisted_jwts", force: :cascade do |t|
+    t.string "jti", null: false
+    t.string "aud"
+    t.datetime "exp", null: false
+    t.integer "user_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["jti"], name: "index_allowlisted_jwts_on_jti", unique: true
+    t.index ["user_id"], name: "index_allowlisted_jwts_on_user_id"
+  end
+
   create_table "comments", force: :cascade do |t|
     t.integer "user_id"
     t.integer "linked_object_id"
@@ -79,4 +90,5 @@
     t.datetime "updated_at", null: false
   end
 
+  add_foreign_key "allowlisted_jwts", "users", on_delete: :cascade
 end
diff --git a/spec/api/web/sessions_api_spec.rb b/spec/api/web/sessions_api_spec.rb
@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'rack/test'
+
+describe Web do
+  include Rack::Test::Methods
+
+  def app
+    Web::SessionsAPI
+  end
+
+  describe 'POST api/web/session/sign_in' do
+    let(:user) { create(:user, email: 'test@example.com', password: 'password123') }
+
+    context 'with valid credentials' do
+      it 'returns a JWT token' do
+        post '/web/session/sign_in', { email: user.email, password: 'password123' }
+
+        expect(last_response.status).to eq(200)
+        json = JSON.parse(last_response.body)
+        expect(json['success']).to eq(true)
+        expect(json['token']).to eq(user.generate_jwt)
+      end
+    end
+
+    context 'with invalid credentials' do
+      it 'returns an error message' do
+        post '/web/session/sign_in', { email: user.email, password: 'wrong_password' }
+
+        expect(last_response.status).to eq(401)
+        json = JSON.parse(last_response.body)
+        expect(json['success']).to eq(false)
+        expect(json['message']).to eq('Invalid email or password')
+      end
+    end
+  end
+
+  describe 'DELETE /api/web/session/sign_out' do
+    let(:user) { create(:user) }
+    let(:token) { user.generate_jwt }
+
+    context 'with a valid token' do
+      it 'returns a success response' do
+        delete '/web/session/sign_out', {}, 'HTTP_AUTHORIZATION' => "Bearer #{token}"
+        expect(last_response.status).to eq(200)
+        json = JSON.parse(last_response.body)
+        expect(json['success']).to eq(true)
+      end
+    end
+
+    context 'with an invalid token' do
+      it 'returns an unauthorized response' do
+        delete '/web/session/sign_out', {}, 'HTTP_AUTHORIZATION' => 'Bearer invalid_token'
+        expect(last_response.status).to eq(401)
+      end
+    end
+  end
+end
diff --git a/spec/factories/allowlisted_jwts.rb b/spec/factories/allowlisted_jwts.rb
@@ -0,0 +1,5 @@
+FactoryBot.define do
+  factory :allowlisted_jwt do
+    
+  end
+end
diff --git a/spec/factories/feedbacks.rb b/spec/factories/feedbacks.rb
@@ -0,0 +1,7 @@
+FactoryBot.define do
+  factory :feedback do
+    user_id { 1 }
+    post_id { 1 }
+    content { Faker::Lorem.sentence }
+  end
+end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -13,6 +13,9 @@
 # it.
 #
 # See https://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+require 'rack/test'
+require 'json'
+
 RSpec.configure do |config|
   # rspec-expectations config goes here. You can use an alternate
   # assertion/expectation library such as wrong or the stdlib/minitest
@@ -28,6 +31,11 @@
     expectations.include_chain_clauses_in_custom_matcher_descriptions = true
   end
 
+  config.include Rack::Test::Methods, type: :api
+  config.before(:each, type: :api) do
+    header 'Content-Type', 'application/json'
+  end
+
   # rspec-mocks config goes here. You can use an alternate test double
   # library (such as bogus or mocha) by changing the `mock_with` option here.
   config.mock_with :rspec do |mocks|

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+class AllowlistedJwt < ApplicationRecord`
	`2`	`+end`