Rails + Devise + API + User Registration - ruby-on-rails

I am new to ruby and rails and so far I managed to setup user management using devise. Right now I am trying to integrate support for mobile Android and iOS apps. So far it is possible for them to login and logout and get an authentication token. But in addition to that I would also like them to be able to register.
Now, as I understand it I have to do a post to
http://localhost:3000/users/sign_up
How does this post look like? And how do I get a JSON response? I found this on stackoverflow.
"utf8=✓&authenticity_token=n5vXMnlzrXefnKQEV4SmVM8cFdHDCUxMYWEBMHp9fDw%3D&user[email]=asd%40fasd.org&user[password]=321&user[password_confirmation]=1233&commit=Sign+up"
Unfortunately this does not work - I am getting the message "Bad request". I also do have a couple of questions about this example. What is the authenticity_token for? How do I get one? This is not the devise token authentication I guess as the user is not even in a position to have one at this point.
Also, after a successful login I would like to bundle the "registration successful" message with a generated devise authentication token. So I guess I have to somehow extend devise`s existing registration controller.
Thank you very much in advance!

Devise already has all this setup. Based on your signup path, I infer that you mounted Devise onto http://localhost:3000/users. Devise includes all the controllers and views that are required, including the log in form, the sign up form, the email confirmation form and the password reset forms.
GET http://localhost:3000/users/sign_up is actually a form for users to signup at. The form on that page will POST to http://localhost:3000/users/, which goes to Devise's registration controller's create action.
Assuming there is no action/view already at /users/sign_up, the sign up form should be there, go check if it is there (assuming you set up devise_for correctly in your routes.rb file).

Related

Rails 4 Login/Sign up using devise during form submission authenticity token error

I have a Project model. There's one-to-many association with the Project model and the Devise User model. I want the users to perform ajax login using Devise before submitting the Projects form data.
The Ajax login works fine. But, after the login when I try and submit the Projects form I get an authenticity token error. I understand that this is due to the change of session token change. But I wonder if there's any way to maintain this kind of user flow?
I think I fixed it with some simple jQuery code. I basically needed to replace the existing authenticity token on the parent form with the new one after sign in. Previously had enabled the Devise session method to respond to js format and had the file /devise/sessions/create.js.erb.
On the same file I had to append the following jQuery code to replace the existing authenticity token on the form with the new one generated after logging in.
$("input[name='authenticity_token'").val("<%= form_authenticity_token %>");

Devise with user logged in using multiple scopes logs all but one out when using token_authenticateable

I'm using Devise with multiple scopes (in this case, a user scope and an admin scope) and admins are able to 'become' a user using the approach on the Devise wiki. This works well, except that I have one particular page that requires the use of an auth token that causes a problem with a session logged in under both a user and admin scope. The page generates a POST to a controller that requires a user to be logged in using the user auth token. The POST succeeds, but afterwards, the admin scope has been signed out. (Meaning that admin_signed_in? returns false.) Other pages that execute POSTs to the same controller without requiring the auth token work as expected without logging out the admin scope.
I suspect that something is going on with token_authenticatable where the authentication of any scopes other than the one associated with that specific token are logged out. I've searched for references in the devise gem source to both the devise sign_out and warden logout methods that could be invoked as part of the token_authenticatable functionality and wasn't able to find anything.
This is happening with Devise 1.3.4. Any help is appreciated.
In case anyone else is looking for a solution to this, I found that the before_filter/after_filter approach I described in the comment to my question seems to work fine. I think that a better, more general solution to this would be to make a change to the devise gem and underlying calls to warden, but didn't have time to make those changes for this particular problem yet.

rails authentication for an API

I'm currently working on an application that in addition to the usual visual web application goop also will expose a few RESTful API services for use by outside applications. I am using Devise to manage user authentication but I'm struggling with how to "manually" authenticate a user given certain input.
The case I have is that I want a user of the API to log in w/o actually going to the visual log in screen etc. I want them to submit a username and password and then authenticate and sign them in in my API services.
I know that you can sign a user in using the sign_in method that Devise provides, but that seems to ignore authentication entirely. here's what I wanted to do explained in a bit more detail:
Assume a GET route called connect in the user controller. the controller is replacing entirely the Devise registrations controller, but not the session one. The URL to my service would be:
<server>/users/connect
and it would expect 'email', 'password' parameters in addition to some service specific and unimportant to my question goop.
What I want to know is how to implement something that is equivalent to the following pseudocode:
def connect
user = User.find_by_email(params[:email])
password = params[:password]
# here is the part I'm pseudo coding out
if user.is_valid_password(password)
...do my stuff...
end
render :json ...etc...
end
I have been unable to find a method in the Devise source to do this--it's so generalized in so many ways that I'm likely just missing it.
Anyone have any ideas? I'm hoping not to a) have to implement my own thing and b) not have to move away from Devise. It provides me with so much for the non-API services...
thanks!
I've left out th
Devise's token_authenticatable is the way to go for this. We've successfully used it many times to do api-based logins.
In config/initializers/devise.rb
config.token_authentication_key = :nameofyourapikeyhere
In user.rb:
devise … token_authenticatable, ...
In the above, you can name the api key anything and then have your route as /users/connect?apikey=whatever (using apikey as an example). In the database, it'll be authentication_token, but it'll work fine.
To clarify, if the user has an authentication_token and it's sent in the params (or it's alias- in the above example: apikey), they'll login.

How to make Rails devise post to the return_to path, not redirect to it?

I'm using devise on rails 2.3 and need to have a form that is available both public and private - for logged in users and those who are not logged in. Both users should see it, but only logged in users can post the form.
I would like to achieve that when an anonymous user has filled it and posts the form, then devise shows him the login page, he logs in and the contents of the form are posted.
Right now when I make the create action (to which the form posts itself) private, then devise would show him the login screen and remember where he came from - save the url to
session[:return_to] and it redirects him back to the form.
Is there some other way than monkeypatching devise to do that?
I believe that Devise you will not be able to get Devise to post to a location on a successful login without some hacking of Devise.
However, since you are saving the url in the session, you could easily also save the post data in the session as well, then just check for it when you are redirected back. Also make sure that you delete it from the session once it has been used.

I created a signin action, and haven't implement so I just want to redirect to login action

I have an action named 'login' that shows the login form.
The form posts to the 'signin' action.
I haven't implemented the authentication logic yet, so I tried this:
def signin
redirect_to login
end
So when the login form posts, it just redirects back to the login page again.
Cannot redirect to nil!
but its not working, why?
You almost had it
redirect_to login_url
Good for you for trying to build your own authentication system. But if you do eventually plan on going to production, please consider using an established authentication system (such as Devise) unless you REALLY know what you're doing, and know all the security issues like the back of your hand. Get started here http://guides.rubyonrails.org/security.html
Why build the auth from scratch when openid, or basic auth, plugins have already been built? That's just where I would go with it.

Resources