使用Rails进行移动API身份验证

Question

I'm building a mobile API server for an APP. My server needs to supports users and authentication. for the last 2 days i've been searching for a good gem/ best practices of doing such task and i've failed to found.

I've seen tweaks around devise or self implementation of authentication tokens but yet to discover a full solution for such a trivial task.

http://lucatironi.github.io/tutorial/2012/10/15/ruby_rails_android_app_authentication_devise_tutorial_part_one/

https://github.com/plataformatec/devise/issues/2739

Answer 1

Check out the Arcadex gem https://github.com/cleor41/ArcadeX .

It's a rails engine that creates a token model. You put the gem's function inside your application controller and it grabs the token from the request headers or parameters and returns the user associated with the token or nil. Nil means the user could not be found/the token is nonexistent. The only setup is to create a token when a user is created and you want to return this token after registering or signing up and destroy it after signing out. An example use case can be found on that github. All of the functions you need for this are completed. The github will tell you where to place them.

I hope it helps out!

Answer 2

As far as I know there is no such thing as an out of the box solution for a given problem. On a few projects that i was working on we always used our own authentication implementation. Usually its kind of a "2 tier token auth".

The idea is to have 1 token to authorize the app, with that token app gets certain privileges, and its allowed to do selection of the public calls. If users decides to log in trough the app, app exchanges user credentials with the API, and as a result API returns second token to the app. This second token is user specific token and is assigned to certain role, so that API knows what kind of the actions is the user with that token allowed to do, and for which user or groups of users that particular token can make changes to.

Answer 3

Have you considered Grape ? It's an API Microframework which sits quite nicely alongside your rails app in a Rack-based environment, or can be hosted inside the rails app itself. And it supports HTTP Basic and Digest Authentication out of the box.

If you are not too far into developing the API, it may be worth looking into.

As a disclaimer, I have not personally used Grape, but maintaining an API myself now, I wish I had (I discovered it after I was well on my way to developing the API in question).

Answer 4

For API you can use the individual hashes wich can generated, regenerated by yours user cabinet form. With this hashes, which stores on user device, user application can be authorised throw each http get request with params, which contains pair {api_key: this_hash}

Look on http://guides.spreecommerce.com/api/summary.html - this will be a nice worked example for you.

Answer 5

I did the same as you, looked around and didn't find anything satisfactory. I was using devise prior to needing API authentication, but had found it less than friction free. In the end moving away from Devise was a very good move as I now have control over user and credential policy plus I can nicely solve API authentication and authorization. The part I did keep was the Warden rack middleware that devise uses.

I have provided a comprehensive answer on setting up token authentication here: https://stackoverflow.com/a/21409810/2238268

Be aware that any gem you use will always face the issue of integrating at both the model, controller and view layers and will force some paradigm that often just doesn't align with the way you need to manage users or credentials.