My Rails app uses Devise for authentication. It has a sister iOS app, and users can log in to the iOS app using the same credentials that they use for the web app. So I need some kind of API for authentication.
这里有很多类似的问题指向this tutorial,但是它似乎已经过时了,因为token_authenticatable模块已经从Devise中删除了,并且一些行抛出了错误.(我使用的是Devise 3.2.2.)我试着根据该教程(和this one)推出我自己的教程,但我对此并不是百分之百有信心-我觉得可能有什么地方我误解了或错过了.
首先,按照this gist的建议,我在users表中添加了authentication_token文本属性,并在user.rb表中添加了以下内容:
before_save :ensure_authentication_token
def ensure_authentication_token
if authentication_token.blank?
self.authentication_token = generate_authentication_token
end
end
private
def generate_authentication_token
loop do
token = Devise.friendly_token
break token unless User.find_by(authentication_token: token)
end
end
Then I have the following controllers:
api_controller.rb
class ApiController < ApplicationController
respond_to :json
skip_before_filter :authenticate_user!
protected
def user_params
params[:user].permit(:email, :password, :password_confirmation)
end
end
(请注意,我的application_controller有before_filter :authenticate_user!行.)
api/sessions_controller.rb
class Api::SessionsController < Devise::RegistrationsController
prepend_before_filter :require_no_authentication, :only => [:create ]
before_filter :ensure_params_exist
respond_to :json
skip_before_filter :verify_authenticity_token
def create
build_resource
resource = User.find_for_database_authentication(
email: params[:user][:email]
)
return invalid_login_attempt unless resource
if resource.valid_password?(params[:user][:password])
sign_in("user", resource)
render json: {
success: true,
auth_token: resource.authentication_token,
email: resource.email
}
return
end
invalid_login_attempt
end
def destroy
sign_out(resource_name)
end
protected
def ensure_params_exist
return unless params[:user].blank?
render json: {
success: false,
message: "missing user parameter"
}, status: 422
end
def invalid_login_attempt
warden.custom_failure!
render json: {
success: false,
message: "Error with your login or password"
}, status: 401
end
end
api/registrations_controller.rb
class Api::RegistrationsController < ApiController
skip_before_filter :verify_authenticity_token
def create
user = User.new(user_params)
if user.save
render(
json: Jbuilder.encode do |j|
j.success true
j.email user.email
j.auth_token user.authentication_token
end,
status: 201
)
return
else
warden.custom_failure!
render json: user.errors, status: 422
end
end
end
And in config/routes.rb:
namespace :api, defaults: { format: "json" } do
devise_for :users
end
我有点不知所措,我相信这里有一些东西我future 的self 会回顾和畏缩(通常是有的).一些不确定的部分:
Firstly,你会注意到Api::SessionsController从Devise::RegistrationsController继承,而Api::RegistrationsController从ApiController继承(我还有一些其他控制器,比如Api::EventsController < ApiController,它为我的其他模型处理更多标准的REST内容,与Deave没有太多联系.)这是一个相当丑陋的安排,但我想不出另一种方法来获得我在Api::RegistrationsController中需要的方法.我在上面链接的教程有第include Devise::Controllers::InternalHelpers行,但这个模块似乎在Desive的最新版本中被删除了.
Secondly, I've disabled CSRF protection with the line skip_before_filter :verify_authentication_token. I have my doubts about whether this is a good idea - I see a lot of conflicting or hard to understand advice about whether JSON APIs are vulnerable to CSRF attacks - but adding that line was the only way I could get the damn thing to work.
Thirdly, I want to make sure I understand how authentication works once a user has signed in. Say I have an API call GET /api/friends which returns a list of the current user's friends. As I understand it, the iOS app would have to get the user's authentication_token from the database (which is a fixed value for each user that never changes??), then submit it as a param along with every request, e.g. GET /api/friends?authentication_token=abcdefgh1234, then my Api::FriendsController could do something like User.find_by(authentication_token: params[:authentication_token]) to get the current_user. Is it really this simple, or am I missing something?
所以,对于那些一直阅读到这个庞大问题结尾的人来说,谢谢你们的时间!总结如下:
- Is this login system secure?或是否有我忽略或误解的东西,例如,当涉及到CSRF攻击时?
- Is my understanding of how to authenticate requests once users are signed in correct?(见"第三……"上图.)
-
Is there any way this code can be cleaned up or made nicer? Particularly the ugly design of having one controller inherit from
Devise::RegistrationsControllerand the others fromApiController.
谢谢!