Build a Secure API with Rails 8 - Part-3: Auth Controllers

Hey folks 👋

Welcome back. In Part 2 we laid the foundation: a Rails 8 API with a User model, password hashing through Devise, OAuth2 password grant via Doorkeeper, JWT access tokens, refresh tokens, and HttpOnly cookie storage. Solid base, but no actual endpoints yet.

Today we fix that. We are going to write the auth controllers (register, login, logout, refresh, and me), and while we do it we'll knock out four more vectors from the tracker: CSRF, User Enumeration, Mass Assignment, and Excessive Data Exposure. We'll also add rate limiting, encrypted DB fields, secure HTTP headers, and structured logging.

Heads up before we start: this part is longer than Part 2. I thought about splitting it again, but everything here belongs together. Controllers without rate limiting are half-protected, and rate limiting without controllers to protect is pointless. So grab a coffee and let's go.

What we are building in Part 3

Build a Secure API with Rails 8 - Part-3: Auth Controllers

Build a Secure API with Rails 8 - Part-3: Auth Controllers

Other newsrooms on this story

Related reading

Securing Web APIs: A Practical Guide to Authentication & Authorization Methods

I will continue using Devise with Rails 8!

The Request/Response Cycle, HTTP, Auth, JWT, OAuth & Sessions — Explained…

# Mastering Spring Security: Architecture, JWT Patterns, and Production Gotchas

Building Authentication Systems in Nest.js: A Complete Guide

Building a Secure Real-Time Messaging App with .NET 8 and Angular 18

Other newsrooms on this story

Related reading

Securing Web APIs: A Practical Guide to Authentication & Authorization Methods

I will continue using Devise with Rails 8!

The Request/Response Cycle, HTTP, Auth, JWT, OAuth & Sessions — Explained…

# Mastering Spring Security: Architecture, JWT Patterns, and Production Gotchas

Building Authentication Systems in Nest.js: A Complete Guide

Building a Secure Real-Time Messaging App with .NET 8 and Angular 18