Secure your API Keys with JWT

A static, never-changing API key poses a security risk - it's essentially an obsfucated primary key - say for some sort of User. If this API key is ever leaked - for example, in a log file or you accidentally use HTTP - then anyone can act on behalf of you indefinetly until the API key is changed.

featured-image

JSON Web Tokens to the Rescue

We can use the JSON Web Token standard (make sure to read that link before you continue!) to create limited use API authorization tokens that last for a short period of time (for example, 2 seconds). This gives us plenty of time to make a complete HTTP request, yet causes any previous tokens to become useless.

Implementation

Say we have some sort of blog API service where a user can make blog posts using an API. With a traditional API key, you might have a User model with an api_key field.

Using JWT, you would have an api_secret field. Unlike the API key method, this secret is never sent between the client and the API.

To make this transaction successful, both the client and the API server need to know the following:

  • The User ID
  • Some shared secret

Client-Side

The client-side implementation might look something like this:

API Server

The API server might have an implementation that looks similar to this. Note some checks (such as checking for the presence of an Authorization header are ommited)

An Even More Secure Implementation

You can assign an unique one-time use jti field to your JWT payload. Using some redis magic, you can completely remove the possibility of a replay attack - meaning if your JWT token is compromised, it can never be used again.

Client-Side

This takes some inspiration from the Zendesk JWT implementation.

Server-Side

We can modify the set_current_user_from_jwt_token from earlier:

A static, never-changing API key poses a security risk - it's essentially an obsfucated primary key - say for some sort of User. If this API key is ever leaked - for example, in a log file or you accidentally use HTTP - then anyone can act on behalf of…

Read More

DRY up your JSON APIs with Rails

Making an API in rails can become very ugly if not done correctly. Odds are, your API requirements include something like the following:

  • Authentication
  • CRUD operations
  • Useful error messages

Authorization

Let's start with the easiest part: authorization.

We clearly see that the @user = User.find_by(api_key: request.authorization) is repeated twice. Let's move that into a before_action.

To follow best practices, we will make the following changes:

  1. Make an ApiController for other API controllers to inherit
  2. Set the @user object as current_user.

The ApiController will be the base for our future API controllers.

Finally, we can inherit from the ApiController and all of our actions will be protected:

Re-Usable Views

An easy way to render your models is to use the to_json method. However, it can prove to be painful if you wish to use only specific fields, especially if they're nested. For example:

The solution is to bring the V back into MVC for your APIs using a tool like jbuilder. Your controller method will look very light and simple:

And your view will look like this:

DRY up your CRUD with rescue_from

It may be tempting to follow the traditional flow of rails model saving:

By using the rescue_from method, you can significantly DRY up your code. Let's add to our ApiController:

Now the rest of your controllers can become incredibly DRY:

Better Error Messages with StrongParameters

For DRY and useful API error messages, you can also use StrongParameters to your advantage:

And now in your other controllers:

Now your end user will automatically be given a descriptive error message if they forget a parameter!

Making an API in rails can become very ugly if not done correctly. Odds are, your API requirements include something like the following: Authentication CRUD operations Useful error messages Authorization Let's start with the easiest part: authorization. We clearly see that the @user = User.find_by(api_key: request.authorization)…

Read More

HTTPFiesta

Ever find it ugly to validate httparty responses? Now there's a super simple way to validate your HTTP responses using the httpfiesta gem.

The gem allows you to validate any response using a single line of code in a very DRY manner:

response = HTTParty.get 'http://example.com'  
response.assert.status(200).content_type(:json)

Check out the GitHub repository repository for more information!

Ever find it ugly to validate httparty responses? Now there's a super simple way to validate your HTTP responses using the httpfiesta gem. The gem allows you to validate any response using a single line of code in a very DRY manner: response = HTTParty.get 'http://example.com' response.assert.…

Read More

It Begins Before you Graduate - Finding your Dream Tech Job

Finding your dream tech job isn’t determined solely by how well you did in college. Nor does having a high GPA guarantee that you will get the job of your dreams.

featured-image

Here’s something they don’t tell you in school - finding your dream job begins before you graduate.

A quote I remember hearing this quote my freshman year:

A Computer Science degree is one of the last things an employer will be looking for on your resume.

How not to Get your Dream Job

Just go through your Computer Science (or related major) courses and do the bare minimum. Never do anything outside of classes. Don’t find an internship.

Ending up in a mediocre job is the likely option if you are majoring in Computer Science (or a related major) without achieving outside of the classroom. Academia is very different from the tech industry; though what you will learn from a CS degree is still valuable, it will only help you so much in finding a job.

Start Learning Real-World Skills Now

A CS degree focuses on math, basic programming and theoretical Computer Science. While all of these are helpful, it’s not enough to find your dream job. Academic skills alone will start you at the bottom of the barrel when finding your first job out of college.

Read Tech Books

Find a beginner tech book that interests you and read it. You would be surprised how well written these books can be. In school, you’re required to buy a $100+ textbook that you probably will never read again. On the contrary, books you purchase at a bookstore (or Amazon) make money by people who actually want to read them and usually cost no more than $40. Read some reviews and find the best one for you!

A good book can increase your skill level from beginner to intermediate, or from intermediate to advanced.

The For Dummies series is a good beginner book. O’Reilly Media books are also an excellent choice.

Do Projects in your Spare Time

You are competing against all of your classmates for jobs when you graduate and you want to stand out amongst your peers. Doing projects outside of the classroom during your spare time is one of the easiest ways to do this. Even better, find a group of people to do a project with. This is even an excellent opportunity to learn how to use version control, such as git. For bonus points, put the project on GitHub for future employers to see!

Doing side projects alone isn’t really enough, but it will help you with the most important part of finding your dream job.

Find an Internship

This is the most important step to land an awesome job after college. An internship is an amazing way to learn real-world skills that employers love. As a bonus, often times people with years of professional experience will mentor you during your time at an internship.

An internship is one of the best deals you could possibly find while in college. In school, you pay a lot of money to be in a large classroom while a professor lectures you on stuff, 80% of which might not be applicable to your next job. In an internship, 80%+ of the things you learn will be applicable to your next job and you might even get mentoring from a professional in the field.

An internship does not have to be a large company, such as Google, Amazon or Microsoft. In fact, working with a smaller, local company can be just as good, or even better! What’s important is that you have real world experience, which is what will make landing your first job so much easier.

Stick with an internship throughout your college career and you can graduate with 2+ years experience on your resume!

Finding your dream tech job isn’t determined solely by how well you did in college. Nor does having a high GPA guarantee that you will get the job of your dreams. Here’s something they don’t tell you in school - finding your dream job begins before you…

Read More