Jets Auth Recommendations / Examples

Evan · February 9, 2020, 8:08pm

Hey, really loving jets so far, but I’m not able to find any strong examples of auth. So far I’ve tried porting devise to Jets without much success and using the built-in Cognito support, but neither has seemed to work.

I noticed that devise is not supported, and that Cognito was community added, so I’m not deeply surprised here, but I’d prefer not to roll my own auth without an example.

A couple of questions:

Where can we find a working example of auth in a jets application?
Is there something glaringly wrong with the below implementation of auth with Cognito?

For Cognito, locally, the jets server seems to ignore my authorizer altogether. Is my

app/authorizers/application_authorizer.rb

class ApplicationAuthorizer < Jets::Authorizer::Base
end

app/authorizers/main_authorizer.rb

class MainAuthorizer < ApplicationAuthorizer
    authorizer(
    name: "MyCognito", # <= name is used as the "function" name
    identity_source: "Authorization", # maps to method.request.header.Authorization
    type: :cognito_user_pools,
    provider_arns: [
      "arn:aws:cognito-idp:us-east-1:753319823037:userpool/us-east-1_VU1wbWqmY",
    ],
  )
end

config/routes.rb

Jets.application.routes.draw do
  resources :posts, authorizer: "main#my_cognito"
  root "jets/public#show", authorizer: "main#my_cognito"
  any "*catchall", to: "jets/public#show"
end

app/controllers/posts_controller.rb

class PostsController < ApplicationController
  authorizer "main#my_cognito"
  before_action :set_post, only: [:show, :edit, :update, :delete]

  # GET /posts
  def index
    pp event
    @posts = Post.all
  end

  # A bunch more scaffolded controller methods....
end

tung · March 11, 2020, 3:00pm

RE: Hey, really loving jets so far

Thanks for the kind words!

RE: but I’m not able to find any strong examples of auth. So far I’ve tried porting devise to Jets without much success and using the built-in Cognito support, but neither has seemed to work.

Don’t have a turnkey auth example yet. Unsure when will get to it, it’s matter of time. Glad that you’ve been looking at porting devise though. Thinking it would be nice if there was turnkey approach for both:

Traditional auth - devise-like or something. This is probably what most are used to.
Cognito auth - The more serverless approach.

For the traditional auth, devise may be a decent place to start for design and overall flow. Thinking it will require a bunch of changes.

For Cognito, others have had some success using Amplify in front: Cognito Support? Though, as you pointed out, the local testing story needs improvement: requestContext & Cognito Authorization

Here’s some history. Added the authorizer concept a while back.

Initial request with a detailed issue report https://github.com/tongueroo/jets/issues/361
Implemented a slightly different syntax in PR: https://github.com/tongueroo/jets/pull/368
Fixes https://github.com/tongueroo/jets/issues/361
More fixes https://github.com/tongueroo/jets/pull/369

Will have figure out a better way to test locally. In addition, will have to figure out a more turnkey quick-and-easy example.

Will consider PRs for this. Of course, no sweat either way