Develop Reference

How to use OmniAuth only for authorization from different Apis without authentication in Ruby on Rails

I want to use OmniAuth to retrieve user access_token and secret from facebook , twitter and google at the same time.
I'm using Devise for authentication , and I want to know how to request keys when the user is signed in and store them in a database to use them later .

Add in gem file
gem 'devise'
gem 'omniauth'
gem 'omniauth-twitter'
gem 'omniauth-facebook'
gem 'omniauth-linkedin'
Generate migrations and models
rails generate devise:install
rails generate devise user
rails g migration add_name_to_users name:string
rails g model identity user:references provider:string uid:string
app/models/identity.rb
class Identity < ActiveRecord::Base
belongs_to :user
validates_presence_of :uid, :provider
validates_uniqueness_of :uid, :scope => :provider
def self.find_for_oauth(auth)
find_or_create_by(uid: auth.uid, provider: auth.provider)
end
end
app/config/initializers/devise.rb
Devise.setup do |config|
...
config.omniauth :facebook, "KEY", "SECRET"
config.omniauth :twitter, "KEY", "SECRET"
config.omniauth :linked_in, "KEY", "SECRET"
...
end
config/environments/[environment].rb
# General Settings
config.app_domain = 'somedomain.com'
# Email
config.action_mailer.delivery_method = :smtp
config.action_mailer.perform_deliveries = true
config.action_mailer.default_url_options = { host: config.app_domain }
config.action_mailer.smtp_settings = {
address: 'smtp.gmail.com',
port: '587',
enable_starttls_auto: true,
user_name: 'someuser',
password: 'somepass',
authentication: :plain,
domain: 'somedomain.com'
}
config/routes.rb
devise_for :users, :controllers => { omniauth_callbacks: 'omniauth_callbacks' }
app/controllers/omniauth_callbacks_controller.rb
Therefore, to link accounts with multiple providers the current_user session must be already set when the OAuth callback returns, and passed to User.find_for_oauth. This might sound complicated, but all thats required to link a different provider, Facebook for example, is to redirect_to user_omniauth_authorize_path(:facebook) while the user is already logged in
class OmniauthCallbacksController < Devise::OmniauthCallbacksController
def self.provides_callback_for(provider)
class_eval %Q{
def #{provider}
#user = User.find_for_oauth(env["omniauth.auth"], current_user)
if #user.persisted?
sign_in_and_redirect #user, event: :authentication
set_flash_message(:notice, :success, kind: "#{provider}".capitalize) if is_navigational_format?
else
session["devise.#{provider}_data"] = env["omniauth.auth"]
redirect_to new_user_registration_url
end
end
}
end
[:twitter, :facebook, :linked_in].each do |provider|
provides_callback_for provider
end
def after_sign_in_path_for(resource)
if resource.email_verified?
super resource
else
finish_signup_path(resource)
end
end
end
app/models/user.rb
class User < ActiveRecord::Base
TEMP_EMAIL_PREFIX = 'change#me'
TEMP_EMAIL_REGEX = /\Achange#me/
# Include default devise modules. Others available are:
# :lockable, :timeoutable
devise :database_authenticatable, :registerable, :confirmable,
:recoverable, :rememberable, :trackable, :validatable, :omniauthable
validates_format_of :email, :without => TEMP_EMAIL_REGEX, on: :update
def self.find_for_oauth(auth, signed_in_resource = nil)
# Get the identity and user if they exist
identity = Identity.find_for_oauth(auth)
# If a signed_in_resource is provided it always overrides the existing user
# to prevent the identity being locked with accidentally created accounts.
# Note that this may leave zombie accounts (with no associated identity) which
# can be cleaned up at a later date.
user = signed_in_resource ? signed_in_resource : identity.user
# Create the user if needed
if user.nil?
# Get the existing user by email if the provider gives us a verified email.
# If no verified email was provided we assign a temporary email and ask the
# user to verify it on the next step via UsersController.finish_signup
email_is_verified = auth.info.email && (auth.info.verified || auth.info.verified_email)
email = auth.info.email if email_is_verified
user = User.where(:email => email).first if email
# Create the user if it's a new registration
if user.nil?
user = User.new(
name: auth.extra.raw_info.name,
#username: auth.info.nickname || auth.uid,
email: email ? email : "#{TEMP_EMAIL_PREFIX}-#{auth.uid}-#{auth.provider}.com",
password: Devise.friendly_token[0,20]
)
user.skip_confirmation!
user.save!
end
end
# Associate the identity with the user if needed
if identity.user != user
identity.user = user
identity.save!
end
user
end
def email_verified?
self.email && self.email !~ TEMP_EMAIL_REGEX
end
end
config/routes.rb
match '/users/:id/finish_signup' => 'users#finish_signup', via: [:get, :patch], :as => :finish_signup
app/controllers/users_controller.rb
class UsersController < ApplicationController
before_action :set_user, only: [:show, :edit, :update, :destroy]
...
# GET /users/:id.:format
def show
# authorize! :read, #user
end
# GET /users/:id/edit
def edit
# authorize! :update, #user
end
# PATCH/PUT /users/:id.:format
def update
# authorize! :update, #user
respond_to do |format|
if #user.update(user_params)
sign_in(#user == current_user ? #user : current_user, :bypass => true)
format.html { redirect_to #user, notice: 'Your profile was successfully updated.' }
format.json { head :no_content }
else
format.html { render action: 'edit' }
format.json { render json: #user.errors, status: :unprocessable_entity }
end
end
end
# GET/PATCH /users/:id/finish_signup
def finish_signup
# authorize! :update, #user
if request.patch? && params[:user] #&& params[:user][:email]
if #user.update(user_params)
#user.skip_reconfirmation!
sign_in(#user, :bypass => true)
redirect_to #user, notice: 'Your profile was successfully updated.'
else
#show_errors = true
end
end
end
# DELETE /users/:id.:format
def destroy
# authorize! :delete, #user
#user.destroy
respond_to do |format|
format.html { redirect_to root_url }
format.json { head :no_content }
end
end
private
def set_user
#user = User.find(params[:id])
end
def user_params
accessible = [ :name, :email ] # extend with your own params
accessible << [ :password, :password_confirmation ] unless params[:user][:password].blank?
params.require(:user).permit(accessible)
end
end
app/views/users/finish_signup.html.erb
<div id="add-email" class="container">
<h1>Add Email</h1>
<%= form_for(current_user, :as => 'user', :url => finish_signup_path(current_user), :html => { role: 'form'}) do |f| %>
<% if #show_errors && current_user.errors.any? %>
<div id="error_explanation">
<% current_user.errors.full_messages.each do |msg| %>
<%= msg %><br>
<% end %>
</div>
<% end %>
<div class="form-group">
<%= f.label :email %>
<div class="controls">
<%= f.text_field :email, :autofocus => true, :value => '', class: 'form-control input-lg', placeholder: 'Example: email#me.com' %>
<p class="help-block">Please confirm your email address. No spam.</p>
</div>
</div>
<div class="actions">
<%= f.submit 'Continue', :class => 'btn btn-primary' %>
</div>
<% end %>
</div>
app/controllers/application_controller.rb
The following method is optional, but it’s useful if you want to ensure the user has provided all the necessary information before accessing a specific resource.
You can use it in a before_filter like so: before_filter :ensure_signup_complete, only: [:new, :create, :update, :destroy]
class ApplicationController < ActionController::Base
...
def ensure_signup_complete
# Ensure we don't go into an infinite loop
return if action_name == 'finish_signup'
# Redirect to the 'finish_signup' page if the user
# email hasn't been verified yet
if current_user && !current_user.email_verified?
redirect_to finish_signup_path(current_user)
end
end
end

Devise: Can't mass-assign protected attributes: email, name

I'm using Rails (3.2.3) and Devise, and allowing administrators to create new users – and edit user accounts.
At this point, administrators can create accounts successfully. However, they can't edit them.
When you try to edit a user's account, a mass-assignment error is raised:
Can't mass-assign protected attributes: email, name
Even though, in the User model, these attributes are set to accessible:
attr_accessible :name, :email, :password, :password_confirmation, :remember_me
What's interesting, is, if I change the above line to attr_protected, you CAN edit user information but you CANNOT create users anymore. Very weird.
Here's the relevant code I'm working with... any help is appreciated.
User model:
class User < ActiveRecord::Base
rolify
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
attr_accessible :role_ids, :as => :admin
attr_accessible :name, :email, :password, :password_confirmation, :remember_me
end
Users controller:
class UsersController < ApplicationController
before_filter :authenticate_user!
def update
authorize! :update, #user, :message => 'Not authorized as an administrator.'
#user = User.find(params[:id])
if params[:user][:password].blank?
params[:user].delete(:password)
params[:user].delete(:password_confirmation)
end
if #user.update_attributes(params[:user], :as => :admin)
redirect_to users_path, :notice => "User updated."
else
redirect_to users_path, :alert => "Unable to update user."
end
end
def new
#user = User.new
respond_to do |format|
format.html # new.html.erb
format.json { render json: #user }
end
end
def edit
#user = User.find(params[:id])
end
def create
#user = User.new(params[:user])
if params[:user][:password].blank?
params[:user].delete(:password)
params[:user].delete(:password_confirmation)
end
respond_to do |format|
if #user.save
format.html { redirect_to users_path, notice: 'User was successfully created.' }
else
format.html { render action: "new" }
end
end
end
end

Change to
class User < ActiveRecord::Base
rolify
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
attr_accessible :role_ids, :name, :email, :password, :password_confirmation, :remember_me, :as => :admin
attr_accessible :name, :email, :password, :password_confirmation, :remember_me
end
Now administrators can create accounts successfully & they CAN edit them as well. Hope it helps

Changing roles in rails 4

I created the app with the help of rails composer. Using devise for authentication and cancan for managing roles. So I have 3 roles by default: Admin, User and VIP. I deleted VIP, because I don't need it. Run rake db:seed to create a default admin. Then I'm coming to localhost and seeing the "First User" as admin. I logout and register(signup) a new user. Then, signing in again as admin. I see, that by deafault, this new user doesn't have any role. And also I see, that I can change it("Change role" - button). I push it and as admin can choose whether new user will be the second admin or just User. I choose, for example, User, push "change role" and have an "ArgumentError in UsersController#update wrong number of arguments (2 for 1)".
Sooo, I have two questions:
1. How to give my admin the ability to change roles without errors.
2. How to make new signing up users to have default role "User".
Thanks!
Ok, I managed to set the default role this way:
after_create :assign_reader_role
private
def assign_reader_role
self.add_role "user"
end
Here is my UserControlle:
class UsersController < ApplicationController
before_filter :authenticate_user!
def index
authorize! :index, #user, :message => 'Not authorized as an administrator.'
#users = User.all
end
def show
#user = User.find(params[:id])
end
def update
authorize! :update, #user, :message => 'Not authorized as an administrator.'
user = User.find(params[:id])
if user.update_attributes(user_params)
redirect_to users_path, :notice => "User updated."
else
redirect_to users_path, :alert => "Unable to update user."
end
end
def destroy
authorize! :destroy, #user, :message => 'Not authorized as an administrator.'
user = User.find(params[:id])
unless user == current_user
user.destroy
redirect_to users_path, :notice => "User deleted."
else
redirect_to users_path, :notice => "Can't delete yourself."
end
end
private
def user_params
params.require(:user).permit(:name, :email)
end
end
Here is models.
User:
class User < ActiveRecord::Base
after_create :assign_reader_role
rolify
devise :database_authenticatable, :registerable,#:confirmable,
:recoverable, :rememberable, :trackable, :validatable
validates_presence_of :name
private
def assign_reader_role
self.add_role "user"
end
end
Role:
class Role < ActiveRecord::Base
has_and_belongs_to_many :users, :join_table => :users_roles
belongs_to :resource, :polymorphic => true
scopify
end
UserController I've already put! And where can I take params from the form?

I think you missed role_ids in permit
def user_params
params.require(:user).permit(:name, :email, :role_ids)
end

I want to search for users in my user model and search another database that contains values that the user owns, with Sunspot

I am trying to setup a site wide search that searches for users, as well as items belonging to users.
Basically each user has many "cereals", and I want to be able to keep the cereal hidden from the search results, and show the owner of the cereal in its place.
Right now I have sunspot functional, but on my index page in users, it lists all the users before a search is performed. If now search is performed I want the results to be empty.
I am still a noob to rails, and am trying to figure this out. Any help would be greatly appreciated. Here is my source.
App/models/user.rb
class User < ActiveRecord::Base
include Amistad::FriendModel
mount_uploader :avatar, AvatarUploader
has_many :cereals, dependent: :destroy
# Include default devise modules. Others available are:
# :token_authenticatable, :confirmable,
# :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable, :authentication_keys => [:login]
# Setup accessible (or protected) attributes for your model
attr_accessible :email, :password, :password_confirmation, :remember_me, :username, :login, :avatar, :avatar_cache, :remove_avatar, :firstname, :lastname, :phone, :urlname
# attr_accessible :title, :body
attr_accessor :login
def self.find_first_by_auth_conditions(warden_conditions)
conditions = warden_conditions.dup
if login = conditions.delete(:login)
where(conditions).where(["lower(username) = :value OR lower(email) = :value", { :value => login.downcase }]).first
else
where(conditions).first
end
end
def update_with_password(params={})
current_password = params.delete(:current_password)
if params[:password].blank?
params.delete(:password)
params.delete(:password_confirmation) if params[:password_confirmation].blank?
end
result = if params[:password].blank? || valid_password?(current_password)
update_attributes(params)
else
self.attributes = params
self.valid?
self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
false
end
clean_up_passwords
result
end
searchable do
text :firstname, :lastname, :username
end
end
app/controllers/users_controller.rb
class UsersController < ApplicationController
before_filter :authenticate_user!
def index
#search = User.search do
fulltext params[:search]
end
#users = #search.results
end
def show
if params[:id].nil? && current_user
#user = current_user
else
#user = User.find(params[:id])
end
#cereal = current_user.cereals.build if signed_in?
#cereals = #user.cereals.paginate(page: params[:page])
end
def first_time
if params[:id].nil? && current_user
#user = current_user
else
#user = User.find(params[:id])
end
end
def edit
if params[:id].nil? && current_user
#user = current_user
else
#user = User.find(params[:id])
end
end
def profile
#username = params[:id]
#friends = current_user.friends || []
#title = "User Profile for #{#username}"
#user = User.find_by_username(#username)
#users = User.all :conditions => ["id != ?", current_user.id]
end
end
views/users/index.html.haml
= form_tag #users_path, :method => :get do
%p
= text_field_tag :search, params[:search]
= submit_tag "Search", name: 'nil'
- #users.each do |user|
%p
= user.username

skipping email confirmation for omniauth users using devise

I have a bit of code here where users can login via their twitter account. the problem here is, how can i skip email confirmation for user the sign up from external services like twitter. i am using devise and i do not know how to skip the email confirmation for this type of users. my code sample is as follows
class AuthenticationsController < ApplicationController
# GET /authentications
# GET /authentications.json
def index
#authentications = current_user.authentications if current_user
end
# POST /authentications
# POST /authentications.json
def create
omniauth = request.env["omniauth.auth"]
authentication = Authentication.find_by_provider_and_uid(omniauth['provider'], omniauth['uid'])
if authentication
flash[:notice] = "Signed in successfully"
sign_in_and_redirect(:user, authentication.user)
elsif current_user
current_user.authentications.create!(:provider => omniauth['provider'], :uid => ['uid'])
flash[:notice] = "Authentication successful"
redirect_to authentication_url
else
user = User.new
user.apply_omniauth(omniauth)
if user.save
flash[:notice] = "Signed in successfully"
sign_in_and_redirect(:user, user)
else
session[:omniauth] = omniauth.except('extra')
redirect_to new_user_registration_url
end
end
rescue Exception => e
# Just spit out the error message and a backtrace.
render :text => "<html><body><pre>" + e.to_s + "</pre><hr /><pre>" + e.backtrace.join("\n") + "</pre></body></html>"
end
# DELETE /authentications/1
# DELETE /authentications/1.json
def destroy
#authentication = current_user.authentications.find(params[:id])
#authentication.destroy
respond_to do |format|
format.html { redirect_to authentications_url }
format.json { head :ok }
end
end
end
my registration controller is as follows
class RegistrationsController < Devise::RegistrationsController
def create
super
session[:omniauth] = nil unless #user.new_record?
end
private
def build_resource(*args)
super
if session[:omniauth]
#user.apply_omniauth(session[:omniauth])
#user.valid?
end
end
end
and my user model is below
class User < ActiveRecord::Base
# Include default devise modules. Others available are:
# :token_authenticatable, :encryptable, :lockable, :timeoutable and
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable, :confirmable
# Setup accessible (or protected) attributes for your model
attr_accessible :email, :password, :password_confirmation, :remember_me, :username, :about, :facebook_username, :twitter_username, :icon, :admin
validates_uniqueness_of :username
has_attached_file :icon, :styles => {:thumb => "64x64#"}, :default_url => 'icon_:style.png'
validates_attachment_content_type :icon, :content_type => ['image/jpeg', 'image/png', 'image/gif']
validates_attachment_size :icon, :less_than => 1.megabyte
ajaxful_rater
has_many :authentications
validates_presence_of :username
def apply_omniauth(omniauth)
self.email = omniauth['user_info']['email'] if email.blank?
self.name = omniauth['user_info']['name'] if name.blank?
self.image = omniauth['user_info']['image'] if image.blank?
authentications.build(:provider => omniauth['provider'], :uid => omniauth['uid'])
end
def password_required?
(authentications.empty? || !password.blank?) && super
end
end
my like to the auth url is below
<a href="/auth/twitter" class="auth_provider">
<%= image_tag "twitter_64.png", :size => "64x64", :alt => "Twitter" %>
</a>
my routh is like this
match 'auth/:provider/callback' => "authentications#create"

Whenever you want to skip confirmation for Devise period, just use the following before the user.save...
user.skip_confirmation!
So basically, in your create controller action, if it detects omniauth logic, then call that.

This could be achieved by setting the confirmed_at attribute, which Devise sets internally to mark an account as confirmed:
user.update(
confirmed_at: Time.now.utc,
confirmation_token: nil
)