旧行李 2014-12-17 02:38 采纳率: 25%
浏览 30

Devise Json身份验证

I am writing backend of an app in Rails. As I work on the backend, I need to give the frontend developer a REST API to start building the frontend. Eventually, the frontend and backend will reside together in a single app, but for now they are separate.

For time being I have enabled Cross-origin resource sharing in my app, by adding following to ApplicationController:

config.action_dispatch.default_headers.merge!({
                                                  'Access-Control-Allow-Origin' => '*',
                                                  'Access-Control-Request-Method' => '*'
                                              });

For now, I have also turned off CSRF tokens by adding following to application.rb:

skip_before_filter :verify_authenticity_token

I am using Devise for authenticating users. To make Devise work with JSON requests, I have done following:

In devise.rb

config.navigational_formats = ['*/*', :html, :json]

In routes.rb

devise_for :users, :controllers => {:omniauth_callbacks => "omniauth_callbacks", :sessions => 'sessions', :registrations => 'registrations' }

My SessionsController

class SessionsController < Devise::SessionsController
  #todo had to do following to support logging in through ajax. need to add logic to send back error response when login fails.
  #todo see  http://stackoverflow.com/questions/5973327/using-devise-1-3-to-authenticate-json-login-requests/8402035#8402035 and
  #todo https://web.archive.org/web/20130928040249/http://jessehowarth.com/devise
  #todo see http://stackoverflow.com/questions/11277300/devise-failure-authentication-via-json-sends-back-html-instead-of-json
  def create
    respond_to do |format|
      format.html { super }
      format.json {
        resource = warden.authenticate!(:scope => resource_name, :recall => "#{controller_path}#failure")
        sign_in(resource_name, resource)
        return render :json => {:success => true, :user => resource}
      }
    end
  end

  def destroy
    respond_to do |format|
      format.html { super }
      format.json {
        Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
        render :json => {}
      }
    end
  end

  def failure
    render :json => {:success => false, :errors => ["Login Failed"]}, :status => 422
  end
end

I have a extended Devise's RegistrationsController as well as indicated in routes.rb, but am not posting its content here, as I don't think it is relevant to this question.

With the above setup I am able to send an ajax request to '/users/sign_in' with user[email] and user[password] parameters and have the user signed in. The response looks something like this:

{
 success: true 
 user: { 
  authentication_token: "SNa2kPqkm5ENsZMx7yEi"
  created_at: "2014-12-16T02:40:39.179Z"
  email: "xyz@xyz.com"
  id: 99999
  name: null
  provider: null
  uid: null
  updated_at: "2014-12-17T02:29:31.537Z"
 }
}

Now how do I use the authentication_token I received in the sign_in response to send requests to other controller actions that require user to be authenticated? Do I need to set this token in a request header? I am not able to find information on how to use this token. Please help.

  • 写回答

1条回答 默认 最新

  • weixin_33711641 2014-12-17 04:03
    关注

    It seems following as described in the gist here, the answer is that you send the suer's email and authetication_token with every request to the backend. You may choose to send it in request header or simply as parameters. You simply modify the method that checks the email and token and signs in the user in ApplicationController accordingly. This is my ApplicationController (I am now sending the email and token as parameters in the request):

    class ApplicationController < ActionController::Base
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :exception
  #todo remove this once ui is integrated. following turns off the csrf token:
  skip_before_filter :verify_authenticity_token

  #todo begin code to support authentication using token
  # This is our new function that comes before Devise's one
  before_filter :authenticate_user_from_token!
  # This is Devise's authentication
  before_filter :authenticate_user!

  private

  def authenticate_user_from_token!
    user_email = params[:user_email].presence
    user       = user_email && User.find_by_email(user_email)

    # Notice how we use Devise.secure_compare to compare the token
    # in the database with the token given in the params, mitigating
    # timing attacks.
    if user && Devise.secure_compare(user.authentication_token, params[:user_token])
      sign_in user, store: false
    end
  end
  #todo end code to support authentication using token
end

    I forgot to mention in my post that I had already added the migration to add a authentication_token column to User model. Also, I had to add following in the User model (as described in the gist), so that an authentication token is generated each time a user is created/updated:

    #todo begin code to support ajax authentication of users
  #todo see https://gist.github.com/josevalim/fb706b1e933ef01e4fb6
  # You likely have this before callback set up for the token.
  before_save :ensure_authentication_token

  def ensure_authentication_token
    if authentication_token.blank?
      self.authentication_token = generate_authentication_token
    end
  end

  private

  def generate_authentication_token
    loop do
      token = Devise.friendly_token
      break token unless User.where(authentication_token: token).first
    end
  end
  #todo end code to support  ajax authentication of users
    评论

报告相同问题?

  • GO中的用户身份验证系统
    2015-03-17 09:34
    回答 1 已采纳 Short answer: no. Long answer: Ruby on Rails is a framework, Go is a language. Making a "universa
  • Golang重复Rails Devise gem密码加密 ruby
    2017-02-07 13:10
    回答 1 已采纳 I found out https://github.com/consyse/go-devise-encryptor exactly for doing this task
  • 在Rails 5.2应用程序和Golang之间共享Web会话 ruby
    2018-10-04 23:32
    回答 1 已采纳 You can share the session between two backends (regardless of the backends) using redis datastore
  • rails6-api-starter:初学者应用程序,通过设计令牌身份验证开发Rails 6 API应用程序
    2021-05-23 03:20
    预先配置了devise身份验证令牌身份验证。 用法 要设置该应用程序,请设置git clone并运行bundle install以安装所有必需的依赖项。 该应用程序配置为与其姐妹前端react,angular或vusjs应用程序配对 服务器 您可以...
  • Card Stacking
    2017-08-13 17:06
    回答 1 已采纳 http://blog.csdn.net/qq_26658823/article/details/51956254
  • Huffman's Greed
    2017-10-11 08:32
    回答 1 已采纳 http://www.aiuxian.com/relative/p-924737.html
  • Frogger's For Dinner
    2017-10-09 13:36
    回答 1 已采纳 http://poj.org/problem?id=2221
  • nonprofit_giving_app
    2021-06-07 18:20
    用户身份验证是通过 Ember Simple Auth 和 Ember CLI Simple Auth Devise 实现的。 计划实施 Stripe 和 AWS(用于组织将照片上传到他们的个人资料)。 先决条件 您将需要在您的计算机上正确安装以下东西。 (带有 ...
  • Software CRC
    2017-06-22 10:14
    回答 1 已采纳 http://blog.csdn.net/bo_jwolf/article/details/10558433
  • Image Deskew 算法
    2017-05-06 16:21
    回答 1 已采纳 https://www.baidu.com/link?url=po2IKD63Bv6Bv0Z_LUBtfjc4tHLDWqq94DxKmrJ536j3tqnHgtDF0v0_5fyj-kV_TT3DR
  • The Most Frequent Number
    2017-02-22 11:41
    回答 2 已采纳 http://blog.csdn.net/y990041769/article/details/8518517
  • ChatGpt提示词大全
    2023-08-12 16:09
    浮生夢的博客 我希望你只以面试官的身份回答。不要同时写下所有的保存内容。我想让你只和我一起面试。问我这些问题,然后等待我的回答。不要写解释。像面试官一样一个一个地问我问题,等待我的回答。我的第一句话是“嗨” Java...
  • Rust不适合开发Web API
    2021-02-09 10:24
    程序员大咖的博客 Node.js 有 passport.js,Rails 有 devise,Django 有 开箱即用的身份验证模型,在 Rust 中,你需要学习如何将共享 Vec 转换到底层加密库才能构建这个系统。 译者注,Vec 是一个动态数组,只会自动增长而不会自动...
  • 忘记密码ajax,通过ajax设计密码可恢复模块
    2021-08-05 12:24
    weixin_39885412的博客 我构建了一个JavaScript前端(ember)到api api,并且我正在使用devise进行用户身份验证。通过ajax设计密码可恢复模块一切正常,但密码恢复让我很难。我看着views/devise/password/edit.html.erb在设计和属性似乎是...
  • 如何构建Ruby on Rails应用程序
    2020-08-11 05:37
    cukw6666的博客 ruby on rails 介绍 (Introduction) Rails is a web application framework written in Ruby. It takes an opinionated approach to application development, assuming that set conventions best serve developers...
  • ror 和 shr_使用RoR和React Native的ANPR
    2020-09-06 11:00
    cullen2012的博客 ALPR – used for calling openALPR commands ALPR –用于调用openALPR命令 Devise — is a flexible authentication solution for Rails based on Warden Devise —是基于Warden的Rails灵活的身份验证解决方案 ...
  • 关于 Node.js 的认证方面的教程(很可能)是有误的
    2017-08-25 08:54
    weixin_34380296的博客 与 Devise 相比,Passport 只是身份验证中间件,不会处理任何其他身份验证:这意味着 Node.js 开发人员可能会定制自己的 API 令牌机制、密码重置令牌机制、用户认证路由、端点、多种模板语言,因此,有很多教程专门...
  • HCTF-2018-Official-Writeup
    2018-11-14 18:27
    怀念_过去的博客 值为数字,利用弱类型,绕过用户身份验证,实现任意用户登录。 我在这里套用了这个漏洞: l o g i n d a t a = j s o n d e c o d e ( login_data = json_decode( l o g i n d ​ a t a = j s o n d ​ e c o d e ( ...
  • rails3 新特性 和 RJS评论
    2012-03-13 13:36
    iteye_21199的博客 如果用nginx passenger做rails应用服务器,而且使用send_file或send_data来发送比如需要先身份验证等特殊需求的文件,需要在config/environments/下面的配置文件中设置: Ruby代码 config.action_...
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 stm32开发clion时遇到的编译问题