Log out of app with cURL - ruby-on-rails

We have a web app built in Ruby on Rails that uses Devise for logging in and out. I'm responsible for a backend XML API using cURL. Users can log in, send updates, etc. at a command prompt with cURL and XML strings, but I don't see how to allow them to log off with a cURL command.
The UI has a logout link that sends a DELETE command, but it uses an authenticity_token parameter that I'm not sure how to emulate or pass through cURL. The output from rake routes shows destroy_user_session as a DELETE action sent to devise, and I've tried using cURL just to point to its path, but that doesn't seem to do anything.
Most of the related resources I've found seem specific to php or to slightly different scenarios.
Edit: Would it be easier to create a new controller action to handle this, so the user just puts in the correct path, and the actual DELETE/POST/whatever is handled in code?

If you not particular about the delete attribute being present. You can configure in devise to log out via post or get.
in the config/initializers/devise.rb you will find
config.sign_out_via = :delete
change that to
config.sign_out_via = :get
Now you should be able to log_out by sending a curl request to the the logout url.
Though my personal suggestion is to authenticate the XML API using key rather than login in using the username and password.
This article should help you get started. http://blog.joshsoftware.com/2011/12/23/designing-rails-api-using-rabl-and-devise/

Related

Confused connecting to API in Postman

I am doing a Backend rails thinkster tutorial that involves creating a clone of medium. I am at a step that requires testing the routes in Postman. Thinkster provides an API that has built in requests and pre-made connections.
But the tutorial goes from step "download Postman" to step "send request." There's no explanation about how to initially start using Postman.
So the first test is to test if you can create a new user with a Register request. I am guessing this is in the Auth folder of the API as there is a Post request called "Register".
I am not seeing an area though that suggests I can make a user. All of the items in my collection are have a request Url that starts with {{apiUrl}}. Example: login's POST request is {{apiUrl}}/login. And if I hover over {{apiUrl}}, it says "unresolved variable: variable is not defined in current environment."
Could anyone help me get going with these tests? Below is a gif of my Postman setup as well as the list of tests the tutorial wants run. I am sure I am not providing something that I may need to in order to get help on this. Please let me know if you are not being presented with all info needed! Thanks.
Test out Postman authentication functionality using Postman
You should be able to:
Create an account using the Register request in Postman
Test the Login endpoint using Postman
Try registering another user with the same email or username, you
should get an error back from the backend
Test the Current User endpoint using Postman
Try logging in to the user you created with an invalid password, you
should get an error back from the backend
Try updating the email, username, bio, or image for the user
My friend I will try to answer at least the question about {{apiUrl}}
This are variables that can be global or environment, obviously global apply to all projects and environment, you will need to select the environment in which they apply.
Now to make it work, do the following.
Copy the url to your API server.
Replace it with the magic variable between {{}}
Go to the gear where you manage this global or environment variables «lest make a local one»
Click on add
first name your environment however you like, the go to the grid and make a variable placing the name inside the key and your servir url on the value side. Then save.
Don't forget to select the environment where you are working.
Thats it now your {{variable}} should work. Now you can use this variables all over postman, they are very helpful. If you are using a JWT token, you will be able to assign it to a variable and the use it on your postman api.

Accessing username as supplied by curl -u in a request made to a Rails application

I am rewriting a legacy JSON API application in Rails 5 (in API mode, so we're using ActionController::API). For the sake of API consistency, the new application needs to be accessed like so:
$ curl -u my-api-token: http://foo.bar/baz
(Note that no password is provided).
From there, we ostensibly authenticate based on the API token and life is grand.
The issue I am having is my inability to access the my-api-token component of the request using Rails' request object in the controller (which is an ActionDispatch::Request object) or through the params hash -- in either case, my-api-token appears to be absent. The act of curling is otherwise successful, in that it hits the right endpoint and the right controller action.
The documentation for curl and for ActionDispatch::Request seem to be not particularly useful yet, and searching for my-api-token when inspecting the request object turns up nothing. Other threads in SO seem to be mostly about how to get curl working in the first place, rather than this particular use case.
What am I doing incorrectly? Or, perhaps better, what do I need to do differently to make this work?
Thanks in advance.
It looks like you are misunderstanding what the -u option does in cURL. With the -u option, you are telling cURL to use Basic Authentication. Thus, your API token is being sent in the HTTP Authorization header, not in the request params.
I see a few options to fix your problem.
The first option is to look in the request headers to extract the Authorization header value, base64 decode it, and you can then grab your API token. I'm not very familiar with Rails, but it looks like this is fairly easy to do: http://api.rubyonrails.org/classes/ActionDispatch/Request.html#method-i-headers
The second option is to send the API token via GET params or a POST request. I believe using a POST request is most common for authentication.
For example, using a POST request, you might do something like
curl --data "token=API_TOKEN" https://example.com/resource.cgi
Then you should be able to access the data in the request params.
Also, please consider using HTTPS. With HTTP, any of the solutions I mentioned are susceptible to having your API token intercepted. You can read this question to understand why this is so: https://superuser.com/questions/919859/is-curl-u-usernamepassword-http-example-com-secure

links in email breaking

I have a rails application and am using devise for authentication. I notice that when the email for resetting the password goes through in production then the link to reset the password breaks and it redirects to my root URL.
In development it takes me to the sign in page and a flash message appears which says that I cannot access this page without a valid token, and must provide the full URL.
while I have customized the look of the email, I am using the devise methods in order to generate the links, viz. edit_password_url(#resource, reset_password_token: #token) %>
this should ideally come up in the development environment as
http://localhost:3000/users/password/edit?reset_password_token=[GENERATED_TOKEN]
however it is coming up as follows as observed from the server logs:
http://localhost:3000/users/password/edit?reset_pass=
word_token=3DQaz7y_f63yR3MZmReUY5
on two separate lines. In production I am using sendgrid so I cannot see the url being generated by inspecting the link.
I also notice that every = sign gets converted to an =3D
Looking forward to some suggestions. Please do let me know if I must provide any more data.
I did figure out the problem, which as it turns out had nothing to do with the transfer encoding.
At the receiving end the urls do get full resolved properly in spite of the content transfer encoding.
However since I was auto generating the links, they were being generated and sent as http links. I am using a CDN that redirects all traffic over https a page rule I had added there to resolve a few issues, was causing this http link to redirect over https and eventually to the application root. This is what was causing the problem.
Generating an absolute url with https is what was required.

How to use 'post' in routes.rb

please help me
I have created a controller 'users' with a view 'login' with a form to login users, I have changed the routes.rb changing get user/login to post user/login
now when I go to localhost:3000/users/login appears:
Routing Error
No route matches [GET] "/users/login"
Try running rake routes for more information on available routes.
please what should to do to works that page, that problem is because I have changed 'get' to 'post' in the routers, there are something more that I should to add?
When you just go to that url in your browser, the type of request is GET - but, as you said, there's no route for this request now.
POST route will be useful when you actually submit a form on this page - with simple submit (specify method attribute as POST) or AJAX request.
You can use both in routes.rb:
get user/login
post user/login
This means that the controller will recognize requests made using both methods. It is up to your controller logic to sort it out. The get would typically be used to render the login form; post would receive the user's username and password, authenticate him/her, and then redirect to a page for successful login (or unsuccessful, if necessary).
I may spark some controversy by saying this but if you are a beginner and you are looking to make a "serious" web site with user authentication, you may not want to leave anything up to chance and instead use a gem like devise (https://github.com/plataformatec/devise) to do it for you. Some will say that it's better to learn how to do it from scratch first, and there's some sense in that, too.

Rails POST doesnt extract any path, query or request parameters

I want to grant users access to my API (hosted on heroku.com) from their sites.
But a strange problem occurs, when i want them to allow to post to the api:
Data sent from an correct form with the correct action-url (e.g. "http://myapp.com/projects/123/tasks/321/todos") - the params get serialized and send via jQuery - i encounter an "ActionController::MethodNotAllowed" with the additional info: "Only get and post requests are allowed", that re-routes to ApplicationController#index with :method => :options.
Rails doesnt extract the params for project_id (123) and task_id (321) from the url, neither are any further request_parameters, path_parameters or query_parameters available.
This behaviour occurs, when I POST from external sites, but doesn't occur, when posting from an html-page on my local machine. My first thought was about wrong encoding, but how to fix that problem.
Edit:
I am using authlogic (not devise :-D) and for the :create action the protect_from_forgery is already skipped.
Any suggestions appreciated
i guess that happens because rails tries to protect your form CSRF attacks.
you can comment out the protect_from_forgery line in your ApplicationController to test it.
but im not sure if thats the right way of dealing with this issue in the production environment.
Okay. I'll try and answer the right question this time (see other comment).
So I've thought about this, and I'm wondering, is this a case of the jQuery call attempting a PUT request? When you use the local form Rails will POST the data, but add the extra _method field to emulate a PUT.
Don't know if you are using jquery-rails, but this takes care of setting the _method parameter, and the PUT/POST verb translation for you in your AJAX calls.
The problem occured due to the cross domain policy - the request was made from another domain - and because I was using a recent browser that supports CORS, it was sending an OPTIONS-request first to get known from the server, which actions are allowed for this domain.

Resources