Authenticating your microservices
In Chapter 1, Breaking the Monolith, we introduced a Ruby on Rails code base that powers our fictional image-sharing application, pichat
. The Rails code base authenticates each request by inspecting the Authorization header. If the header is present, the application attempts to decode it using a shared secret read from an environment variable(seethe Secure configuration recipe). If the token provided in the Authorization header is valid, the decoded value contains contextual information about the user, including the user ID. That information is then used to retrieve the user from the database so that the application has context on the user making the request. If the Authorization header is missing or cannot be decoded successfully, the application raises an exception and returns an HTTP 401 to the caller, including an error message. In order to obtain a token to include in the Authorization header, a client application can send a POST
request to the /auth...