I'm using Devise in a Rails 3 app for authentication.
I have another app that updates records in a table via the REST interface. Currently, I can't have before_filter :authenticate_user! in that table's controller.
Is there a way to supply a username, password via the REST interface? Or some other method to get the REST input authenticated?
You can use token authentication to send params to the Rest API securely using either https://github.com/gonzalo-bulnes/simple_token_authentication or https://github.com/lynndylanhurley/devise_token_auth
Related
I have a large app running on Devise, Rails 5.
I am trying to create simple token access to the application so the end user could hit localhost:3000/projects.json with a single Curl request by simply providing a token for authentication without an email or password.
The resources I've checked seem to create a session through an email and password, then create a token, then another request:
https://github.com/lynndylanhurley/devise_token_auth
http://www.jianshu.com/p/8068d539a539
How could I accomplish access with a single API token?
**Note I am using devise for this, because I am using the :lockable module to protect against brute force attacks on the API
I am building a rails application which has both API and UI, I have implemented HTTP token authentication (header) for API and want to continue with same for web app as well if possible.
I am saving the user token in session[:token] and using authenticate_or_request_with_http_token method for authentication.
The application_controller has the before filter and all other controllers are inherited hence HTTP header token is required for every endpoint in API and every page in the web app.
API is working fine because the partner application sends token every time to access endpoints but in case of web app we are getting token for the first time (when the user gets redirected from the partner app) and control gets transferred to our app. Then we need a way to send HTTP header token for every route/page inside the rails app. Please suggest me a way to do that, or a completely different approach if this seems so complex.
Edit:
def authenticate_user
authenticate_or_request_with_http_token do |token, options|
user_id = Setting.long_decode_id(token)
user = User.find_by(id: user_id)
if (user.present?)
session[:api_current_user] = user.id
I don't know if using a header token is the most straightforward approach in a web application, is there a reason you want to do it this way? You would need to be injecting the token into every request the user makes since their browser generally wouldn't do it for them.
Instead, why not use the token on the first visit (if that's the way you want to control access) but after that first entry set a session flag to skip that before filter until the session expires?
Alternatively there are a few great authentication gems out there, you could use one of those (devise for example)
I have a rails app that uses devise authentication system. There is another external rails app which requests this app but because of the code below in application_controller, it can't pass through.
before_action :authenticate_user!
What is the best way/design to let the application get authenticated correctly and get the response without a problem.
Any hint is appreciated
You can either use token authentication to allow the app to pass a secret token via a url query parameter or use HTTP Basic Authentication.
https://github.com/baschtl/devise-token_authenticatable
You would need to create a user account and generate a token for it and use that token for every request that your app makes by either including ?tolen_param_name=SECRET or use Http basic authentication with the user's username and password.
http://railscasts.com/episodes/82-http-basic-authentication
Note that it's safer to enable ssl over the http connection to encrypt the password or secret.
Oauth2 is driving me crazy.
Currently, my Rails application authenticates users through Facebook, and soon other Oauth2 providers, thanks to the beauty of Devise & OmniAuth. User can't sign in with login & password.
But as my application is mainly an API, I also want it to act as an Oauth2 provider, to protect data.
Thus, the user sign in with Facebook -> my application obtain an Access Token, and then -> provides the user a new Access Token to access my API -> my AngularJS application (or any other app) uses this token to access my API without knowing Facebook or Google Access Token.
It looks like I need to forward Oauth2 token to client with a custom provider.
I discovered doorkeeper gem... but I can't understand how to articulate it with Devise & Omniauth.
I found many partial answers here, but not a complete one.
I will appreciate any help, good tutorial, or more complete answers.
Here is a simple tutorial to get you started. Thanks to Andrea!
1. Server Application (Devise + Doorkeeper)
http://dev.mikamai.com/post/110722727899/oauth2-on-rails
2. Client Application (Ominauth-oauth2)
http://dev.mikamai.com/post/112508735689/oauth2-on-rails-the-client-application
P.S. Minor Errata!
1. When you generate the APP_ID and SECRET_ID for the client application from the server application - using http://localhost:3000/oauth/applications/new - enter the callback url http://localhost:3001/auth/doorkeeper/callback
Or, if you see this after the error, go back to http://localhost:3000/oauth/applications/ and edit the callback url. We can't use http://localhost:3001/doorkeeper/callback because this is not the route the tutorial is using from the Client Application.
2. In the client application include the callback action definition as below and change the to_json method to as_json.
../oauth-client/app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
def authentication_callback
auth = request.env['omniauth.auth']
render json: auth.as_json
end
end
Cheers!
I have both a Desktop application and a mobile application. I want to use the same rails application for both "devices". In another word, I want the mobile application to request contents on the Desktop application.
I use Devise for authentications (email + password).
I have implemented Doorkeeper on the Desktop app in order to generate an Oauth2 token for my mobile application.
Here are my questions:
I have before_filters sets in my desktop application controllers in order to secure them.
I am not sure how the mobile application should share the OAuth2 token with Devise in order to be authenticated and access my protected controllers ?
In fact, right now, it is Doorkeeper who should check the mobile token in my controllers with the doorkeeper_for :all code. But to do that I have to unable the devise protection before_filter :authenticate_user!...
Should I save the oauth token in devise too ?
I am misunderstanding how mobile applications should authenticate with devise and OAuth2 protocole ?
Thx
This is old, but doesn't have an answer yet.
Essentially Devise and Doorkeeper are doing the same thing, Devise authenticates using sessions (or token auth if you have enabled that) while Doorkeeper authenticates with OAuth tokens sent in every request.
What you probably want to do is split your application into two access points, have a regular desktop access using Devise and an API that uses Doorkeeper. Enable Devise routes for only the regular desktop controllers and enable doorkeeper routes for only the api controllers.
In your API Application Controller, you can override current_user to be something like User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token. This will match the way Devise authenticates as well.
Alternatively, if your API doesn't have to use OAuth, you could use Devise's token_authenticable config, which provides similar features as OAuth's Bearer Tokens.
I'm not sure if I understood your question but Doorkeeper locks your controller completely. No access via Devise authentication is possible if you have doorkeeper_for :all in your controller.
You will need a seperate controller to share your data via OAuth2, like an API controller for instance. Then you can request data e.g. via protocol://myapp:1234/ressource?access_token=thetoken.
Is that what you asked for? Else please clarify :)