使用devise_token_auth时如何通过Rails API验证用户是否拥有请求的资源

Question

I am building an API-only (for now) Rails app to serve as the back end for an Android app I'm building. I was previously using Firebase but wanted to do more processing on application data and I didn't want to bloat the mobile client with all the logic, so I am moving away from Firebase's real-time database and backing the application data using Rails. I was also using Firebase's authentication which is very straightforward. But it seems less complex for the overall system to keep all of this functionality in one place, so I'd like to perform auth and user management in the Rails app as well.

I have installed devise_token_auth (seen here ) and finished the basic configuration. The /auth route works correctly if params are provided and creates a user. sign_in and sign_out both successfully create sessions and return some header information. The important parts returned are client , access-token , and uid , which I need to use in future calls to the API. I believe these are invalidated and replaced with each subsequent call. At this part of the flow is where I'm not sure how to proceed. I don't understand how the data in these headers is associated with the user who signed in and how I can validate that they own a resource they request. To summarize the question another way:

How can I sign a user into the API and then validate which user is making subsequent API calls?

My Android app is a task manager, so I need to be able to validate for example that if user 1 requests task 3 , that they own that resource. I'm also unsure how to direct index calls using the API. That is, when the index endpoint is hit ( /tasks ), how can I identify from the data in the API headers which user's tasks I should retrieve.

I haven't been able to find any solid tutorials or samples using devise_token_auth so I'm having trouble stitching together the interaction between the pieces I have now. I know this is a meaty question - thanks in advance for any guidance.

Answer 1

How can I [...] validate which user is making subsequent API calls?

With the current_user method. This is a built-in feature to the devise_token_auth gem.

I need to be able to validate for example that if user 1 requests task 3, that they own that resource

There are many different approaches you could take. You could just write some custom logic in each controller action, using the current_user method (and return 403 forbidden if necessary).

Or, you could use a popular "framework" solution for this such as CanCanCan or Pundit . I, and probably most of the modern community, would recommend Pundit .

I highly advise you to read that library's README, as it's extremely helpful. But for the example above, you could write something like this:

class TasksController
  def show
    task = Task.find(params[:id])
    authorize(task) # !!!
    render task
  end
end

# app/policies/task_policy.rb
class TaskPolicy
  def show?
    record.user == user
  end
end

(Note that by default, the " user " in Pundit policies calls the method: current_user . This is all explained in the project's README.)

when the index endpoint is hit ( /tasks ), how can I identify from the data in the API headers which user's tasks I should retrieve

Again, this is all handled as part of Pundit 's standard features. You just need to define a TaskPolicy::Scope and call policy_scope(Task) in the controller - as explained here .