I'm going to develop a Ruby on Rails application (basically a back-office) which at the same time will serve data for an Android mobile app via the REST interface Rails provides.
My concerns here are the following: how should I manage and structure my ROR application so that REST calls from Android are authenticated with an API Key + user ID (I was also thinking in using OAuth) and, on the other side, users can interact with via back-office.
Should I use for example different controllers for the same resources (thus, increasing complexity) for BO accesses and Mobile client accesses (so I can implement different auth logic)?
Is there any standard/common way (aka gem) to manage and implement this behavior?
Thanks in advance!
Related
I have an existing RoR web application which currently uses Devise for authentication.
I am planning on adding API functionality in one manner or another for a mobile backend.
Would you recommend adding API functionality to the web application and using JWT, for example, to enable mobile authentication. Alternatively, would you have two separate applications, a web application and an API, sharing the same Postgres instance on Heroku?
I see pros and cons both ways, but it would seem to me that separating it into two applications would outweigh adding API functionality to the web app. Perhaps, it would make most sense to start over with just an API and add mobile app client and web application client functionality.
Creating a new API only backend might be easier at first, but you would have to copy all your app logic in the models over and keeping both sides up to date will be a pain. You can do it in the same rails app if you namespace the new API so that all calls are under a /api_v1 or something like that. Here is an article that show how you can have different versions of your API.
JWTs for authentication is a great way of doing it and Devise can support them by adding a gem like devise-jwt since adding a route and handling the creation and updating of tokens by yourself is a lot of work.
For the API itself you might want to consider using JSON:API with the jsonapi-rails gem or GraphQL with the graphql gem. This way when someone wants to use your API they can use an adapter for their framework that can talk to that kind of API and not have to worry about the structure of what it returns. There are adapters for both APIs that work with Andrioid, IOS, Ember, React, and all other major frontend frameworks.
I am building a Ruby on Rails (Rails - v4.2.3 & Ruby 2.2.2) App which consumes an existing REST API.
The aforementioned API is written in PHP.
I need help regarding how to manage the authentication?
On searching through various forums I came across these two gems
https://github.com/lynndylanhurley/devise_token_auth
https://github.com/gonzalo-bulnes/simple_token_authentication
The problem I am facing with both is that they require my app to have a users model configured (using Devise).
However My app is primarily a front end for the Existing REST API, so if I do configure my own User model, I will end up with two Data Stores (One for the APP I make and the other for the existing API).
I wish to consume the external API and not have any native models for my APP.
I believe I can use ActiveResource for this (I need more reputation points to post a link to the gem, sorry I cannot do that right now, I am new to StackOverflow):
However I am not sure how to go about managing the security of the application. More specifically what measures can I take to prevent the authentication information from being viewed in plaintext while it is being transmitted to my API server for authentication?
Thank You.
Use HTTPS on your API. If your external API is using HTTPS then user info wouldn't be sent in plaintext from your rails app.
Don't forget to use HTTPS for your rails app too, as that is more important.
I have one main Asp.net MVC application, I also have a help site and quite a few internal apps (that I need to build - reporting, stats, support tickets).
Question: Can OAuth be used in this way? i.e. a user can be authenticated to use all apps (if they have access to that app)?
Ideally all or most of the other apps will be implemented in Ruby or Node.js - so I am hoping I can achieve this with OAuth.
As long as all of your apps run under the same top level domain, it should not be strictly neccessary to use OAuth or similar to obtain a shared session. Instead you could rely on a plain session cookie. You could run some kind of middleware in between your app and the user.
Only if the main app is providing a REST API that you may want to use on various client apps, where some of them run in external environments / domains, making use of OAuth may be relevant.
I am reading the Service Oriented Design with Ruby book by Paul Dix and many posts here but am left with many questions surrounding authenticating users and the application.
I want to have api.site.com as a RESTful Rails app serving up JSON. Secure.site.com will be a web app (maybe Rails or maybe PHP) that will consume the service. Also a mobile app such as iPad will also consume it.
So is the first step to build in a level of auth so that only my web app and mobile app can consume the service? Then once the calling app has been authenticated, both these apps will have users who want to CRUD their data so then authenticate them as well?
I've read about Http basic, digest, tokens, oauth and many plugins but am having a difficult time narrowing down the most flexible and reusable way. For now this is simply learning so I would like to stay away from plugins so I can learn the code better.
Can my web app use normal sessions like I'm familiar with and then the mobile use their equivalent to sessions. At that point I still have no authenticated the calling app though. Http basic seemed like I could use it from both, but I didn't see a way for my web app to use a normal login form and logging out seemed like an issue.
I would suggest two solutions for you.
Use a Gem like devise for login system and inherit the devise registration and sessions controller to make it respond to JSON requests.
Create your own simple authentication and use respond to HTML and respond to JSON for separating web and mobile login
Iam not totally sure whether a mobile device maintains a session (please look around) but u can always use a token authentication system if it doesnt.
I think there is a wide consent that is a good practice to separate your REST API from your main website. The main reason is that you can scale your API and website independently of each other.
Additionally, Rails has a lot of middleware that is not required for stateless services (e.g. sessions, cookies, view rendering, etc...). Jeff Dean has a good write up on how to remove all of this middleware (http://pivotallabs.com/users/jdean/blog/articles/1419-building-a-fast-lightweight-rest-service-with-rails-3-).
At the moment, I am simply using the new Rails 3 responder (respond_with) in one single application, both for the website and the API. The website is used mainly for administration purposes.
How would you separate the API from the website?
I think an option would be to pack all models in a gem, then have two different applications, one lightweight REST service, and the administration website. They would be hosted on different Heroku instances, but access the same MongoHQ database.
You have 2 choice
extract your Model ans use it in all of your 2 application
made you API and your application on same application. But you deploy 2 server. One using only your application par and other with your API part. So if you need more API. add more on your API server.
You don't really need extract API. You just need separate it.