Asserting the user is logged in from the front-end via AJAX - ruby-on-rails

My problem is as follows:
I have a rails (3.2.8) application that uses devise for authentication. Rails is just a RESTful api and the front-end is a backbone one-page app.
I manage to register and sign-in users, but how can the front-end get that information from the back-end with AJAX ? Basically I want to be able to tell from the front end that this user is logged in and has a session, or tell that the user has not logged in.
Currently I my controllers and models are completely rails-created, I have not touched them.
Googling around produced many tutorials that use the token_authenticatable module, but they had varying implementations and did not offer a explicit solution.

A simple way to do it is let rails handle your sessions. You do this by:
rails generate session_migration
rake db:migrate
Then, store a session value in rails for example:
session[:user_id] = user.id
(where user is an object of your User class)
And then you can constantly ping your rails backend via ajax to check whether the session[:user_id] variable is not null, if it isn't null then a session exists.

Related

What is the proper way to sign in as a user in an rspec request spec, without devise?

I have a Rails application which has some User authentication which is built without Devise (or any gem for that matter). It uses the typical session[:user_id] to track the current user.
My understanding of the current state of controller tests is that the Rspec team and Rails teams both recommend against using them. This is fine, but I'm not seeing how to actually sign in as a user from within a request spec. I've done it with Devise with no issue, but Devise uses Warden and such.
I've tried to access the session from within the test but the level of abstraction within request specs seems to prevent access to it.
How can I sign in a user from within a request spec?
You can change the session before the request:
#request.session['user_id'] = '1'
Or add anything else that you require on the session to validate your user.
Or you could create a helper method that actually performs the request needed to login, which is what #dhh recommends.

Rails Devise multiple concurrent sessions

I am developing a web application using rails and devise for the authentication. There are two types of users, one who are able to have multiple concurrent sessions (super) and the others who can only have a simultaneous session (normal). In order to implement this behaviour, I have added a new field on the User model to store the authentication_token (generated in the SessionsController#create). Also, I added a new filter to the ApplicationController which check if the stored token in the session is equal to the saved on the User model when it is a normal user. When it is not the same authentication token, we logout the normal user.
Now I am developing a new ionic mobile application which needs to login to the same rails application. However, in this case all user types can have multiple concurrent sessions. In order to do this, we would like to continue using devise (although we have also considered to use doorkeeper with password flow).
I am not sure about the best approach to get this. The main problem is to detect if we are accesing the API with the rails or ionic application. One approach is to add a parameter but I don't like to use a parameter in all requests. Another approach it is to use browser gem, but we can access the web from a browser in the mobile.
When we uses the rails application, we can use the same behaviour described above. Otherwise, I think it is not necessary to do anything because devise permits concurrent sessions by default.
Another posibility it is to use a new model to store the authentication token and its type (rails or ionic). If we are using the rails application, then we query the rails authentication token and override it (or create if it does not exist). On the opposite, we add the new authentication_token as a new instance related with the user model. With this behaviour we can manually control the expiration of the tokens and store more information (IP, browser...).
I am not sure about the best approach to achieve this behaviour. Thanks in advance.

Access the authenticated user with ember app, rails api, and ember-cli-simple-auth-devise addon

Following this tutorial
http://givan.se/p/00000000
I have setup authentication for an ember app with a grape api. The tutorial doesn't store the current session, because there seems to be no need, however, I would like to access the current authenticated user in my api so that I can more easily handle deeply nested relationships. What would be the best way to accomplish this?
Currently using rails 4, and the latest versions of the grape and devise gems.
<EDIT>
Say I have a JSON payload like this
{ person: { user_id: 3, updated_attribute: 'the' } }
with my current setup, should I also include the user's authenticate token with each request to prevent a situation where a logged in user sends a PUT request where they have altered the user_id to update the attributes of another user.
I'm trying to understand how/make sure my rails server knows which user is making/submitting requests to the API.
Checkout this example from the Ember Simple Auth repo - you simply define a custom session class that adds a computed property which returns the current user.

A common user model , controller ,authentication and ability for multiple Rails apps

I have developed two rails applications app1 and app2, they have their own user controller and model and own ability.rb file and own devise gem. I want all of them share a common user controller and user model and ability.rb file so that anyone irrespective of the application goes through the same authentication system.
In this context I have read the post Rails: Devise Authentication from an ActiveResource call and How to add authentication before filter to a rails 3 apps with devise for user sign up and sign in?. But I am sorry, I could not figure out how to modify their individual routes.rb file so that all the authentication requests redirected to it and I would like to know if I have to make another application for only management of user for that purpose.
You might use omniauth gem to provide one application to manage its users through the second one (like a Facebook connect, for example). This app's sign in action would just be a redirect to the second one's sign in page.
In this case, however, you would have 2 different user tables, which might need synchronization, but for just a simple authentication that could work.

session management in rails without User model

I have an rails app which relies on authenticating username/password entered to an external webservice. Rails app will not have a user model. When a user enters login/password and it makes a post request to check that login/password. External application will return back a cookie or token which can be used for subsequent requests made from rails app.
There is no User model in the rails app since all the users are stored in an external application.
Is there a gem which let me strictly do session management? I'm planning on storing that token in a session.
why not just create a sessions controller that saves the token into a session? I don't see a need for a gem.
something like
sessions[:token] = token
If you are dealing with a tokens that expire like facebook you can take a look at this
http://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/
hope it helps
I might look at the way Michael Hartl does user sessions in his Rails tutorial. What you want is something slightly different, but you might be able to reuse some of what he did there. http://ruby.railstutorial.org/chapters/sign-in-sign-out#sec-current_user
(It's also just a good tutorial to go through, regardless of your level of Rails experience.)

Resources