Ruby on rails action filters - ruby-on-rails

In my application I have at this point a authentication function through oauth, but before of that I would like to have a login page, so I want to use Devise to create that. The problem that I am facing is that bought Device and my authentication method require a before_filter, and both methods redirect to a page, and because of that I get an error saying that I have to redirects. How can I fix this problem?
Thank you

I don't know explicitly what you are doing and what are your actual requirements but as far as I know you don not need before filter. you need to provide both options for login, authentication with devise and Omniauth.
I am referring you to some links consult it.
Mandatory:
http://www.samionrails.blogspot.com/2013/08/google-omni-auth-with-devise-tutorial.html
Optional:
https://github.com/intridea/omniauth/wiki/Managing-Multiple-Providers
http://www.samionrails.blogspot.com/2013/08/authenticate-user-using-omniauth.html

Related

Change Omniauth authorization URL

I'm using Omniauth with Devise using the google_oauth2 strategy.
It works well, but now I'd like to change the authorize path with something of my choice.
Actually it's http://localhost:3000/users/auth/google_oauth2 while I'd like a much simpler http://localhost:3000/login since it's simple to remember.
It would not raise any error since I've disabled the Devise database authenticable (the only way to login is through a google account).
How can I do?
Thanks.
You can see how to change url prefix here How to change route of omniauth from /auth/:provider to /myapp/auth/:provider
So it is almost what you need.

Password protecting pages simply with rails - what should I do?

I'm now on level 7 of Hartl's rails tutorial book and I'm starting to think about my application in deployment. It's an app that allows about 12 social workers to communicate collaboratively and privately. Thus, I need to password protect it.
However, it also needs to be easy to use, very easy to use. A few of these people haven't used a computer before, and having logging on and sign-up processes would put them off completely.
Thus I want to create a landing page, where they have to type a password in (the same password for everybody), then it redirects to the 'discussion pages.' My first idea was to use some obfuscated javascript such that upon typing in the password, it redirects them to the discussion pages, but this doesn't sound very secure.
Can anyone recommend me a better way to do this in rails? Ideally they would only have to type it in once, and then it would authenticate them for all the pages automatically (by setting a cookie?) and anyone trying to access a page directly would be redirected to the authentication page.
Cheers in advance
A very simple authentication option is available to you in this situation. I would suggest you watch the Ruby on Railscast episode 270. I think it just maybe what you are looking for.
If you want really simple, you can use authenticate_or_request_with_http_basic
It's not a replacement for a real authentication system, e.g. Devise or AuthLogic however.
I started to use the lockup gem for this purpose:
https://github.com/gblakeman/lockup
It is super easy to setup and almost every user accessing the site should be able to use it.

Devise with user logged in using multiple scopes logs all but one out when using token_authenticateable

I'm using Devise with multiple scopes (in this case, a user scope and an admin scope) and admins are able to 'become' a user using the approach on the Devise wiki. This works well, except that I have one particular page that requires the use of an auth token that causes a problem with a session logged in under both a user and admin scope. The page generates a POST to a controller that requires a user to be logged in using the user auth token. The POST succeeds, but afterwards, the admin scope has been signed out. (Meaning that admin_signed_in? returns false.) Other pages that execute POSTs to the same controller without requiring the auth token work as expected without logging out the admin scope.
I suspect that something is going on with token_authenticatable where the authentication of any scopes other than the one associated with that specific token are logged out. I've searched for references in the devise gem source to both the devise sign_out and warden logout methods that could be invoked as part of the token_authenticatable functionality and wasn't able to find anything.
This is happening with Devise 1.3.4. Any help is appreciated.
In case anyone else is looking for a solution to this, I found that the before_filter/after_filter approach I described in the comment to my question seems to work fine. I think that a better, more general solution to this would be to make a change to the devise gem and underlying calls to warden, but didn't have time to make those changes for this particular problem yet.

rails authentication for an API

I'm currently working on an application that in addition to the usual visual web application goop also will expose a few RESTful API services for use by outside applications. I am using Devise to manage user authentication but I'm struggling with how to "manually" authenticate a user given certain input.
The case I have is that I want a user of the API to log in w/o actually going to the visual log in screen etc. I want them to submit a username and password and then authenticate and sign them in in my API services.
I know that you can sign a user in using the sign_in method that Devise provides, but that seems to ignore authentication entirely. here's what I wanted to do explained in a bit more detail:
Assume a GET route called connect in the user controller. the controller is replacing entirely the Devise registrations controller, but not the session one. The URL to my service would be:
<server>/users/connect
and it would expect 'email', 'password' parameters in addition to some service specific and unimportant to my question goop.
What I want to know is how to implement something that is equivalent to the following pseudocode:
def connect
user = User.find_by_email(params[:email])
password = params[:password]
# here is the part I'm pseudo coding out
if user.is_valid_password(password)
...do my stuff...
end
render :json ...etc...
end
I have been unable to find a method in the Devise source to do this--it's so generalized in so many ways that I'm likely just missing it.
Anyone have any ideas? I'm hoping not to a) have to implement my own thing and b) not have to move away from Devise. It provides me with so much for the non-API services...
thanks!
I've left out th
Devise's token_authenticatable is the way to go for this. We've successfully used it many times to do api-based logins.
In config/initializers/devise.rb
config.token_authentication_key = :nameofyourapikeyhere
In user.rb:
devise … token_authenticatable, ...
In the above, you can name the api key anything and then have your route as /users/connect?apikey=whatever (using apikey as an example). In the database, it'll be authentication_token, but it'll work fine.
To clarify, if the user has an authentication_token and it's sent in the params (or it's alias- in the above example: apikey), they'll login.

Devise and swfupload authorization

i'm trying to verify in my controller whether user has sufficient rights to upload files or not. swfupload does a POST request with (according to documentation) cookie values passed directly in POST request. this makes before_filter :authenticate_user! unusable, user is not authorized correctly.
as far as I know from devise docs, there is a possibility of creating custom session controllers. is it a good starting point to solve this problem? any idea how to extract session id from POST and proceed with authorization?
I had a similiar issue with swfupload. I used midleware and some custom helper links to make it work. More info here: http://thewebfellas.com/blog/2008/12/22/flash-uploaders-rails-cookie-based-sessions-and-csrf-rack-middleware-to-the-rescue

Resources