I am trying to learn Rails and have created User model using devise but just using Rails an API. I have added custom validations on the controller and it works fine. The user is able to login when posting data from the front-end. But, the problem is that the browser doesn't store the session anywhere. Hence, the session will be considered new every-time a page is reloaded. I am wondering if devise has an in-built functionality which would create session and store in cookie or local storage.
class API::V1::SessionsController < Devise::SessionsController
def create
#user = User.find_by_email(user_params[:email])
if #user && #user.valid_password?(user_params[:password])
sign_in :user, #user
render json: #user
elsif #user && not(#user.valid_password?(user_params[:password]))
invalid_attempt
else
no_user
end
end
def destroy
#message = "signed out"
sign_out(#user)
render json: #message
end
private
def no_user
render json: {error: "An account with this email doesn't exist. Please create a new one"}, status: :unprocessable_entity
end
def invalid_attempt
render json: { error: "Your password isn't correct" }, status: :unprocessable_entity
end
def user_params
params.require(:user).permit(:email, :password)
end
end
Related
I'm quite new to RoR programming and stuck while trying to migrate my authentication from Clearance to JWT. I created all of the required methods in ApplicationController and UsersController and even managed to sign up a user, save the user's password_digest to the database and then log in a user (in terms of POST params, I mean that no errors were thrown). However, I fail to keep the user logged in. I understand that there should be an auth_header attached to each request by my user, but how do I create one? I googled it multiple times, but failed to find how to handle it in terms of front-end. Everybody seems to use these fancy apps with buttons to create all the required headers and send raw json data ((
In other words, I have my JWT token encoded in the entrance method (as posted below) but I cannot understand how to pass it as a header in each and every request to the app further on?
users_controller.rb
class UsersController < ApplicationController
def create
#user = User.create(user_params)
if #user.valid?
token = encode_token({ user_id: #user.id })
redirect_to root_path
else
render json: { error: "Invalid email or password"}, status: :unprocessable_entity
end
end
def entrance
#user = User.find_by(email: user_params[:email])
if #user && #user.authenticate(user_params[:password])
token = encode_token({ user_id: #user.id })
redirect_to root_path
else
render json: { error: "Invalid email or password"}, status: :unprocessable_entity
end
end
def login
render 'login'
end
def signup
#user = User.new
render 'signup'
end
application_controller.rb
class ApplicationController < ActionController::Base
helper_method :current_user
def encode_token(payload)
JWT.encode(payload, 'secret')
end
def decode_token
auth_header = request.headers["Authorization"]
if auth_header
token = auth_header.split(' ')[1]
begin
JWT.decode(token, 'secret', true, algorithm: 'HS256')
rescue JWT::DecodeError
nil
end
end
end
def current_user
decoded_token = decode_token()
if decoded_token
user_id = decoded_token[0]['user_id']
#user = User.find(user_id)
end
end
def signed_in?
current_user.present?
end
def authorize
if signed_in?
redirect_to root_path
else
redirect_to "/log_in"
end
end
I truncated the code a bit, but all the relevant methods are included.
I am using Rails API and devise for authentication but when sending a request to destroy the session, it doesn't return any response other then status 200.It returns the same response no matter if the user exists, is logged in or the password is incorrect.
url http://localhost:3000/users/sign_in
I'm sending a DELETE request through Postman and it just returns a 200 response. It should be returning the data which is stored in the #message
{
"user":{
"email":"abc#abc.com",
"password":"abc#abc.com"
}
}
I even tried to destory the session using the session id:
curl -X DELETE -d "3" http://localhost:3000/users/sign_out
sessions_controller.rb
class API::V1::SessionsController < Devise::SessionsController
def create
#user = User.find_by_email(user_params[:email])
if #user && #user.valid_password?(user_params[:password])
session[:user_id]=#user.id
sign_in :user, #user
render json: #user
elsif #user && not(#user.valid_password?(user_params[:password]))
invalid_attempt
else
no_user
end
end
def destroy
#message = "signed out"
session.delete(:user_id)
sign_out(#user)
render json: #message
end
private
def no_user
render json: {error: "An account with this email doesn't exist. Please create a new one"}, status: :unprocessable_entity
end
def invalid_attempt
render json: { error: "Your password isn't correct" }, status: :unprocessable_entity
end
def user_params
params.require(:user).permit(:email, :password)
end
end
routes.rb
devise_for :users, controllers: { registrations: 'api/v1/registrations', sessions:'api/v1/sessions'}
I am trying to learn Rails API with React front end and have created a login, signup and logout feature. Currently, I am using localstorage to check if a user is signed in or registered. If the value is true, the logout button appears, and clicking logout empties the localstorage and sets the value to false. But I think this isn't the correct way of doing it since rails devise has its own session and logout endpoint. I tried writing some code for the destroy session and when testing it using the endpoint in POSTMAN it doesn't seem to work the way I want.
Here's the code:
class API::V1::SessionsController < Devise::SessionsController
def create
#user = User.find_by_email(user_params[:email])
if #user && #user.valid_password?(user_params[:password])
session[:user_id]=#user.id
sign_in :user, #user
render json: #user
elsif #user && not(#user.valid_password?(user_params[:password]))
invalid_attempt
else
no_user
end
end
def destroy
puts "logout clicked"
#user = User.find_by_email(user_params[:email])
if #user.valid_password(user_params[:password]) && #user.destroy
render :json => { success: "user was successfully deleted" }, :status => 201
else
render :json => { error: "user could not be deleted" }, :status => 422
end
end
private
def no_user
render json: {error: "An account with this email doesn't exist. Please create a new one"}, status: :unprocessable_entity
end
def invalid_attempt
render json: { error: "Your password isn't correct" }, status: :unprocessable_entity
end
def user_params
params.require(:user).permit(:email, :password)
end
end
http://localhost:3000/users/sign_out
{
"user":{
"email":"test1#test.com",
"password":"test1#test.com"
}
}
Please note that this user does exist. Sending a delete request to http://localhost:3000/users/sign_out isn't even logging the "logout clicked" and the status gives 204.
I know I should put the code in the create action of the users controller, but I'm not sure what code.
this is my controller code:
# frozen_string_literal: true
class UsersController < ProtectedController
skip_before_action :authenticate, only: [:signup, :signin]
# POST '/sign-up'
def signup
user = User.create(user_creds)
if user.valid?
render json: user, status: :created
else
render json: user.errors, status: :bad_request
end
end
# POST '/sign-in'
def signin
creds = user_creds
if (user = User.authenticate creds[:email],
creds[:password])
render json: user, serializer: UserLoginSerializer, root: 'user'
else
head :unauthorized
end
end
# DELETE '/sign-out/1'
def signout
if current_user == User.find(params[:id])
current_user.logout
head :no_content
else
head :unauthorized
end
end
# PATCH '/change-password/:id'
def changepw
if !current_user.authenticate(pw_creds[:old]) ||
(current_user.password = pw_creds[:new]).blank? ||
!current_user.save
head :bad_request
else
head :no_content
end
end
def index
render json: User.all
end
def show
user = User.find(params[:id])
render json: user
end
def update
head :bad_request
end
private
def user_creds
params.require(:credentials)
.permit(:email, :password, :password_confirmation)
end
def pw_creds
params.require(:passwords)
.permit(:old, :new)
end
private :user_creds, :pw_creds
end
i know i should change something
in my create user but not sure where
i tried to use #current_user = user under the sign up part but it didnt work.
Do you want user to be signed in when he/she sign up?
# POST '/sign-up'
def signup
user = User.create(user_creds)
if user.valid?
User.authenticate(user_creds[:email], user_creds[:password])
render json: user, status: :created
else
render json: user.errors, status: :bad_request
end
end
I am currently using Clearance from Throughbot for my authentication. I am needing to add an API to my product and can't seem to find docs about using Clearance with an API. Is there a certain Header I can set that Clearance will check automatically and if not what can I use? I think I may be able to use this.
To get around this I ended up overriding the authenticate methods on the ApplicationController and the User model. It looks something like this:
class ApplicationController < ActionController::Base
include Clearance::Controller
include Clearance::Authentication
def authenticate(params)
if request.headers['AUTH-TOKEN']
return nil unless user = User.where(remember_token: request.headers['AUTH-TOKEN']).first
sign_in user
else
User.authenticate(params[:session][:email], params[:session][:password])
end
end
#rest of class omitted for bevity
end
Then I subclasses SessionsController to override the create method like so:
class SessionsController < Clearance::SessionsController
def create
#user = authenticate(params)
sign_in(#user) do |status|
respond_to do |format|
if status.success?
format.html { redirect_back_or url_after_create }
format.json { render json: #user, status: :ok }
else
format.html do
flash.now.notice = status.failure_message
render template: 'sessions/new', status: :unauthorized
end
format.json { render json: [errors: status.failure_message], status: :unauthorized }
end
end
end
end
#rest of class omitted for bevity
end
Then all you have to do to test or use is set the requests AUTH-TOKEN header to the users remember token and you're all set. I chose to use the remember token because it is updated whenever the user logs out. You may not want this to happen and could instead generate a auth_token field on your model and change the where to use the new field.