Rails validating post request - ruby-on-rails

Is there a gem or easy way to validate a API post request? For example I am always expecting a field to be either present or always a string and if it is not to ignore the request all together.
Or is the only way to do this is to manually check each request coming in with an IF statement?

Once you get the request check the params in the controller and if the params are the way you need them to be allow post -> create/update your db records if not return nil to the post request.

I think you should assign a Model to your "request". This way you could "validate" presence of any given fields

Related

How to indicate empty array in HTTP request query params?

This is the way Rails accepts arrays in query parameters:
PUT /resource.json?sport_ids[]=133&sport_ids[]=64&sport_ids[]=71 ...
I tried to google this question but didn't find any explicit docs on it:
How to tell Rails that we want sport_ids to become empty (pass empty array of sport_ids via query parameters) ?
HTTP requests can have only variables on the url itself. That's a limitation feature of HTTP, not Rails.
Take a look at How Does Rack Parse Query Params? With Parse_nested_query to figure out how rails collects the variables into an array, it won't run out of the box in case of an empty array.
You can avoiding sending the params["sport_ids"] and patch your controller with:
params["sport_ids"] ||= []
The best practice to use put/post requests, is passing such data in the request body (json/xml) like:
{
"sport_ids": []
}
Or with data as:
//...
{
"sport_ids": [133, 64, 71]
}
//...
For more info about HTTP request steps, check Running a HTTP request with rails.
While #mohameddiaa27's answer has good advice on how to achieve that by passing such data in the request body as JSON I found that I cannot rely on it within my application: I found that it is not easy to combine such passing of JSON into request body within multipart forms where I want to pass user record (with user[sport_ids] in it) and user's avatar image (user[avatar]) field.
So I continued to investigate how to achieve that using default "query parameters in a request body of POST/PUT request" approach and found the reason why I was not able to reset my sport_ids on server-side: it was the lack of permission for that specific sport_ids field. Now I have the following permits (pseudocode):
current_user.update!(user_params)
where user_params is
user_attributes_to_permit = [
...
:sport_ids, # this is what was needed for just `user[sport_ids]` to work.
{ :sport_ids => [] } # this is needed for sport_ids non-empty arrays to work
...
]
params.require(:user).permit(user_attributes_to_permit)
so now I am able to reset the sport_ids array of my user by passing just user[sport_ids] (without '=' and value! i.e. ...&user[sport_ids]&...) within my query parameters.

Get raw parameter data in Ruby on Rails

I have a ruby on rails api where I want to sign my request data by appending a hashed version of all passed in parameters to the request and rebuild this one at the server side as well to validate the integrity of the requests.
When I simply use the params method in the controller I have different parameters (e.g. for an update-method which is specified by this:
put 'login' => 'login#update'
I get as parameters on the server:
{"timestamp"=>"1399562324118", "secured"=>"xxx",
"login"=>{"timestamp"=>"1399562324118", "secured"=>"xxx"}}
although I only send the request from the client with
{"timestamp"=>"1399562324118", "secured"=>"xxx"}
Does any one have an idea how to get rid of this "login" parameter in the params list in a generic way? I do not want to exclude this for every single request of my api.
Thanks a lot!
Per the Rails Edge guide on ActionController:
"If you've turned on config.wrap_parameters in your initializer or calling wrap_parameters in your controller, you can safely omit the root element in the JSON parameter"
See http://guides.rubyonrails.org/action_controller_overview.html#json-parameters

Rails parameters from GET/POST

I'm fairly new to Rails and am writing a login form. I have used form_tag to pass through the user's submission to the account controller. Now, I don't want the user to be able to enter their login details through a GET request, so how can I check that a certain param is either a GET or POST parameter?
Thanks in advance
In Rails you don't have specific POST or GET parameters. You do have a POST or GET request. You can check it like this in your controller:
request.post?
or you can check for other HTTP verbs: GET, PUT and DELETE:
request.get?
request.put?
request.delete?
For more info, check this piece of the documentation: http://railsapi.com/doc/rails-v2.3.8/classes/ActionController/Request.html
If what you need is to know the HTTP verb you can ask directly to request:
request.request_method
You could of course POST to a url that included a query parameter, so the selected answer might not be what you're looking for. Try checking if the parameter exists in the request arrays:
if request.GET.include? "param_name"
# do something
end
There's also request.POST and there are aliases (query_parameters for GET and request_parameters for POST) for both in ActionDispatch::Request:
http://api.rubyonrails.org/classes/ActionDispatch/Request.html#method-i-GET

RoR: POST to a page using raw form data. How?

Is there a ruby method to POST form data encoded in "x-www-form-urlencoded" as specified here? http://www.w3.org/MarkUp/html-spec/html-spec_8.html
I am aware of Net::HTTP.post_form, but because I have several values to post which share the same name I can't use a hash, which is required by that method.
To clarify, I have a string of the form "value1=x&value1=y&value1=z&value2=a&value3=b" and I want to be able to POST it to another page. How can I do this?
I think internally the params object is a parsed version of the actual raw post body in the http request. All post data is posted the same way (as raw post data), but the params hash in ActionController has already parsed this into an easy-to-use hash. If you actually need the raw post data from a form, you can access it through the raw_post method of the request object itself.
The ActionController::Request.raw_post documentation here is for rails3, but has been available since at least 2.3.8 (the only 2.3.x version I checked). I think it most likely has been available longer than that.
In a controller, try self.request.raw_post to get the raw post data as a string.
Are you able to have a hash value which is an Array? I think that this is the way parameters with the same names are usually handled.

InvalidAuthenticityToken from rails for POST request from openlaszlo app

InvalidAuthenticityToken from rails for POST request
Hi All
I have a rails server running to which I make a POST request.
The dataset is defined as
Now per rails documentation in order to make a POST a request I need to set the add "authenticity_token" to the query string. So if for example the authenticity_token is "xxxxxxx", the final url should look like http://mywebsite.com/doSomething?aut..._token=xxxxxxx
I get the authenticity token from the server in the flashvars.
I have a user defined canvas attribute called auth_token which I use to store the authenticity token.
Below is the openlaszlo code I use to make the request.
var d = canvas.datasets.ds;
var content = get_my_content();
d.setQueryParam('lzpostbody',content);
d.setQueryString({authenticity_token : encodeURIcomponent(canvas.auth_token) });
d.doRequest
In this code the setQueryString call seem to clear out the query params. If I change the order of the setQueryString and setQueryParam calls the opposite happens.
The question is. Is there a way to set the query string without changeing/deleting the query params.
Thanks very much
Puneet
I don't know anything about OpenLaszlo, but my guess is that setQueryParam adds or modifies one param, whereas setQueryString overwrites the whole query string with the contents of the object.
Shouldn't you want to just add the authenticity token?
d.setQueryParam('lzpostbody', content);
d.setQueryParam('authenticity_token', encodeURIcomponent(canvas.auth_token));

Resources