I have a Flex front end and a Rails 3 back-end that I would like to establish a session to. Before you can access the page embedded with the flex front-end, you are prompted with a html login page through Devise.
I am able to login fine through the html page but cannot get access to the session with Flex using amf requests.
I have the rails session token in flex but cannot pass them into rails correctly. I am attempting to pass the sessiontokin in through a "send" service call like
somethingService.new.send(session_id: '###', _csrf_token: '###' )
and rails is receiving the session param in a hash as like
{0=>{"session_id"=>'###')}}
instead of like
{"session_id"=>'###')}.
Any suggestions on how to fix this issue or to utilize a session with Flex/RubyAmf/Rails are welcomed.
Thx.
It's been a while since I've done anything with integrating flex & rails, but I have a vague memory that the params come through as {0 => params} if not explicitly mapped in the configuration. The rails3-amf readme on github uses this example:
config.rails3amf.map_params :controller => 'UserController', :action => 'getUser', :params => [:session_id]
If your not already, perhaps explicitly defining the session_id in the :params would make the difference?
Related
I'm trying to retrieve a user's Google account information when a form is submitted. In order to do so, I have to make a GET request to an url. Here's what it says in the YouTube API documentation
To request the currently logged-in user's profile, send a GET request
to the following URL. Note: For this request, you must provide an
authentication token, which enables YouTube to identify the user.
https://gdata.youtube.com/feeds/api/users/default
https://developers.google.com/youtube/2.0/developers_guide_protocol_profiles?hl=en
How do I make it so a custom (or specificall this) GET request happens when the form is submitted, and how do I provide the authentication token? Information that might help: When the form is submitted, it will go to the VideoController's new method.
Also after making the request, how do I access the information? I need to see whether <yt:relationship> is present or not in the given information.
Thanks!
I find HTTParty gem as very useful for working with external APIs in rails.
You can make requests as
response = HTTParty.post("http://www.example.com", :timeout => 5, :body => "my body content", :query => { hash_of_params_here } ,:headers => {'Content-Type' => 'application/json', 'AuthKey' => "your_key_here"})
response object will have 'statuscode', 'headers', 'body' etc (whatever youtube send back in your case). You can access its content using
response.parsed_response
same for get requests too
Please do read more about it for better understanding before getting started.
Sources : Documentation & Tutorial
Yuo can use excon gem to make specific CRUD or only get requests to external resources, for example, it should be something like this:
Excon.post('http://youtube.com', :body => 'token=sjdlsdjasdljsdlasjda')
PS: But seem you not requied the direct gems, tru useing google-api gem, as it described here in the documentation.
I've separated my front-end from my back-end, so that they communicate via JSON calls (generated by rails back-end).
i.e, my app calls get_info.json which runs a controller that returns ajax information to the front end.
How do I prevent a random user from directly running the get_info.json script, and thus directly accessing the JSON information?
You need to implement authentication for the json api.
It can be as simple as passing an api_key param to every request.
Or you can restrict the access to the route to a specific IP.
get "/posts" => "posts#show", :constraints => {:ip => '127.0.0.1'}
If front-end and back-end are in the same RoR application, then you can use CSRF token.
just pass a param to json call like get_info.json?token=<%= form_authenticity_token.html_safe %>, then in your back-end controller check if if params[:token] == form_authenticity_token.
hope this helps you.
I'm developing a facebook app so I can't rely on cookies due to P3P (Privacy Preferences Project) and yep, it's a damn pain (see slides 18 and 19 on this slideshare about Rails and Facebook apps for a picture of it)...
In a facebook app every cookie, from browsers perspective, is a third-party cookie. And many browsers block them by default.
So my question is: How can I implement flash messages without rely on cookies?
UPDATE:
I modified session_store.rb and the DB accordingly. Now the sessions are stored on DB but the flash messages are still relying on cookies... Any idea please?
UPDATE#2:
I finally found a workaround, see my answer below. Best thing to do would be to ajax everything (according to the above-linked slideshare) but as a quick fix my solution should work.
I finally found a workaround implementing my own (simple) flash messages and passing them through the params from one request to another.
First of all, I overwritten default_url_options in application_controller.rb to append to every request a :my_flash param:
def default_url_options
{ :my_flash => #my_flash }
end
Then, always in application_controller.rb, I wrote a my_flash_from_params before_filter to set the #my_flash variable:
def my_flash_from_params
#my_flash = params[:fb_flash]
end
Finally I rendered the following _my_flash.html.erb partial in application.html.erb
<div class="my_flash">
<%= my_flash %>
</div>
Calling:
<%= render :partial => "layouts/my_flash", :locals => {:my_flash => #my_flash} if #my_flash %>
If you want to try this solution see also this answer about default_url_options rewriting.
Flash messages are built on top of the session. So you could still rely on the flash if you change the session store to use the database. This can be easily done by editing config/initializers/session_store.rb and following the instructions on that file.
Here's more information on the topic: Action Controller Overview -> Session
I'm new to web development in general and ruby on rails in specific. I'm working on developing a web interface where i'm using a 'Get' and 'Post' requests on the same method. When i use a get method and send parameters (like username and password), they are being visible in the url. Hence, below is what i did.
form1.html.erb
<%= form_for :modify, :method => "post", :url => {:action => "method2"} do |f|%>
#code here to input username and password
<%=end%>
in my routes.rb i wrote the following routes to the method2:
post 'controller/method2'
get 'controller/method2'
When i enter username and password and click on submit, it is finding the post 'method2' and executing the code in the controller, and displaying method2.html.erb as there is a get request for the same method and also there is a view for method2.
However, i suspect this is not the right way to do it. I do not want the password to be visible. I came to know that i have two options, store the password in a session or send a post request. I do not want to store in session as it is not safe. When i write a post method the page expires when the user tries to come back. To prevent either of these happening, i used the same action in controller as post and get and now i do not see any parameters visible in the url.
Please let me know if this is not the right way to do
If you want a solid method for manipulating user & password, I recommend you go through the Ruby on Rails tutorial, it's an excellent tutorial and it will learn you the basics to start with Rails programming, including a safe username/password use.
Alternatively, you can use Devise, which is a very popular gem for this purpose.
I would not try to implement a secure user/password system without really knowing what you are doing...
In your controller you should have this :
render 'controller/method2'
And you should have a file in this path :
app/views/controller/method2.html.erb
You don't need to have two routes.
In my Rails FB app, when running in the canvas, if I go to "/users", instead of GETting the index page, it POSTs and creates a new user.
That only happens when I try to access the URL directly. When I use the "List of users" link on the app, it works as expected.
Why is that?
that's just how FB does it. They post data with each query as well.
Facebook sends everything as POST which brakes RESTful routes. There is a way to fix it though. If incoming POST request contains signed_request parameter you can assume it was converted from GET to POST by Facebook.
Rack::Facebook::MethodFix middleware fixes the problem automagically. You can use it with something like:
# Basic usage
use Rack::Facebook::MethodFix
# Also validate signed_request
use Rack::Facebook::MethodFix, :secret_id => "c561df165eacdd6e32672c9eaee10318"
# Do not apply request method fix to admin urls.
use Rack::Facebook::MethodFix, :exclude => proc { |env| env["PATH_INFO"].match(/^\/admin/) }
or if you are using Rails then
config.middleware.use Rack::Facebook::MethodFix