I have a rails app that uses devise authentication system. There is another external rails app which requests this app but because of the code below in application_controller, it can't pass through.
before_action :authenticate_user!
What is the best way/design to let the application get authenticated correctly and get the response without a problem.
Any hint is appreciated
You can either use token authentication to allow the app to pass a secret token via a url query parameter or use HTTP Basic Authentication.
https://github.com/baschtl/devise-token_authenticatable
You would need to create a user account and generate a token for it and use that token for every request that your app makes by either including ?tolen_param_name=SECRET or use Http basic authentication with the user's username and password.
http://railscasts.com/episodes/82-http-basic-authentication
Note that it's safer to enable ssl over the http connection to encrypt the password or secret.
Related
I have a large app running on Devise, Rails 5.
I am trying to create simple token access to the application so the end user could hit localhost:3000/projects.json with a single Curl request by simply providing a token for authentication without an email or password.
The resources I've checked seem to create a session through an email and password, then create a token, then another request:
https://github.com/lynndylanhurley/devise_token_auth
http://www.jianshu.com/p/8068d539a539
How could I accomplish access with a single API token?
**Note I am using devise for this, because I am using the :lockable module to protect against brute force attacks on the API
Im a bit stuck. I dont know how to setup ember-simple-auth with my current rails + ember-cli app.
Currently, the user has to login with steam, so they get redirected to steam's login page. When they press authorize, they get redirected back to my site. I then let rails process the request and if they successfully signed in with steam, I set a cookie with a randomly generated token.
Now I need to do two things for ember-simple-auth.
Tell ember-simple-auth to check if the token exists, and if it does, make an api call to get the user's infor like the name, email, username, etc...
Add a prefilter that passes the token in most requests.
For #2, I can just use the OAuth authorizer, but for #1, I have no idea.
Thanks.
You need to implement a custom authenticator and use that to authenticate the session in an initializer when the app starts. The authenticator would in its authenticate method read the token that the Rails app writes to the cookie, make the API call and resolve with a bearer token that the OAuth 2.0 authorizer would then inject into requests.
I have an iOS app that is using the Facebook SDK to authenticate. I am then able to use omniauth, devise, and omniauth-facebook-access-token (via AFNetworking) to create a user on the server for that facebook account.
Now I need my iOS app's user to be able to "have a session" on the RoR server - I could do that by passing some information in the headers or URL for each request to be authenticated or I could use a cookie. When the app makes API requests (JSON usually), I need those requests to be in the context of the user who has been authenticated.
What is the best practice for having an authenticated RoR user on an iOS app in this situation?
Some options that come to mind:
Maintain a cookie on the client
Send a piece of information for each API request in a header or somewhere else (access_token? user_id?)
My concern is that I want to be able to add additional oauth2 authentication providers without redoing this code.
You need a token to authenticate the user, you should also keep sending the csrf-token in order to keep your app secure. Take a look at this question, and see how the csrf is handeled in its answer.
Oauth2 is driving me crazy.
Currently, my Rails application authenticates users through Facebook, and soon other Oauth2 providers, thanks to the beauty of Devise & OmniAuth. User can't sign in with login & password.
But as my application is mainly an API, I also want it to act as an Oauth2 provider, to protect data.
Thus, the user sign in with Facebook -> my application obtain an Access Token, and then -> provides the user a new Access Token to access my API -> my AngularJS application (or any other app) uses this token to access my API without knowing Facebook or Google Access Token.
It looks like I need to forward Oauth2 token to client with a custom provider.
I discovered doorkeeper gem... but I can't understand how to articulate it with Devise & Omniauth.
I found many partial answers here, but not a complete one.
I will appreciate any help, good tutorial, or more complete answers.
Here is a simple tutorial to get you started. Thanks to Andrea!
1. Server Application (Devise + Doorkeeper)
http://dev.mikamai.com/post/110722727899/oauth2-on-rails
2. Client Application (Ominauth-oauth2)
http://dev.mikamai.com/post/112508735689/oauth2-on-rails-the-client-application
P.S. Minor Errata!
1. When you generate the APP_ID and SECRET_ID for the client application from the server application - using http://localhost:3000/oauth/applications/new - enter the callback url http://localhost:3001/auth/doorkeeper/callback
Or, if you see this after the error, go back to http://localhost:3000/oauth/applications/ and edit the callback url. We can't use http://localhost:3001/doorkeeper/callback because this is not the route the tutorial is using from the Client Application.
2. In the client application include the callback action definition as below and change the to_json method to as_json.
../oauth-client/app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
def authentication_callback
auth = request.env['omniauth.auth']
render json: auth.as_json
end
end
Cheers!
I want to build three example apps. One will be a sinatra oauth2 provider and second will be rails app with angular.js on frontend and rails on backend and third with sinatra on backend and angular.js on frontend.
Our Rails/Sinatra app will be authenticate users using satelizer and our custom provider.
These is our Oauth2 workflow right now.
Using Satellizer we get the authorization code from provider. We send this code to our backend.
In backend using this authorization code, secret key and other params, we send an request to provider to get an access token.
Using this obtain access token we call '/me' action to get an uid, email and other user attributes from provider.
In the same action we parse the response body and we find or create user based on uid.
We are wondering about this step which should somehow set the user's authentication token.
store the provider access token in user database record.
generate new authentication token and change it on every request
Generate JWToken with user uid and token and send it back to satellizer.
Then on each request Satellizer include Bearer JWToken in header. After recive request our backend verify header token stored in database and call sing_in method in our case devise(sign_in, store: false) maybe in sinatra app we will use warden.
What do you think about this concept? Maybe we are missing something. These is our first oauth2 authentication implementation and we are worried about it.