Devise API authentication [closed]
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
开发者_JAVA技巧 Improve this questionI am working on a rails web application that also provides JSON based API for mobile devices . mobile clients are expected to first obtain a token with (email/pass), then clients will make subsequential API calls with the token.
I am pretty new to Devise, and I am looking for a Devise API look like authenticate(email, pass)
and expect it to return true/false, then based on that I will either create and hand back the token or return a decline message. but seems Devise doesn't provide something like this.
I am aware that Devise 1.3 provides JSON based auth, but that's a bit different from what I need - I need to generate token and handle back to client, then after that auth is done using the token instead.
Can someone please give some pointers?
There is a devise configuration called :token_authenticatable
. So if you add that to the devise method in your "user", then you can authenticate in your API just by calling
"/api/v1/recipes?qs=sweet&auth_token=[@user.auth_token]"
You'll probably want this in your user as well:
before_save :ensure_authentication_token
UPDATE (with API authorization code)
The method you're looking for are:
resource = User.find_for_database_authentication(:login=>params[:user_login][:login])
resource.valid_password?(params[:user_login][:password])
here's my gist with a full scale JSON/API login with devise
I would recommend reading through the Devise Wiki, as Devise natively supports token authentication as one of it's modules. I have not personally worked with token authentication in Devise, but Brandon Martin has an example token authentication example here.
Devise is based on Warden, an authentification middleware for Rack.
If you need to implement your own (alternative) way to authenticate a user, you should have a look at Warden in combination with the strategies that ship with Devise: https://github.com/plataformatec/devise/tree/master/lib/devise/strategies
If token auth just isn't what you want to do, you can also return a cookie and have the client include the cookie in the request header. It works very similar to the web sessions controller.
In an API sessions controller
class Api::V1::SessionsController < Devise::SessionsController
skip_before_action :authenticate_user!
skip_before_action :verify_authenticity_token
def create
warden.authenticate!(:scope => :user)
render :json => current_user
end
end
In Routes
namespace :api, :defaults => { :format => 'json' } do
namespace :v1 do
resource :account, :only => :show
devise_scope :user do
post :sessions, :to => 'sessions#create'
delete :session, :to => 'sessions#destroy'
end
end
end
Then you can do this sort of thing (examples are using HTTPie)
http -f POST localhost:3000/api/v1/sessions user[email]=user@email.com user[password]=passw0rd
The response headers will have a session in the Set-Cookie header. Put the value of this in subsequent requests.
http localhost:3000/api/v1/restricted_things/1 'Cookie:_my_site_session=<sessionstring>; path=/; HttpOnly'
精彩评论