[英]Is possible to secure a Rails API using session cookie
I have an issue. 我有一个问题。 I have two Rails website, site A and site B. Site A is a news website that has device as auth system and use Disqus with Single Sign On to comment contents. 我有两个Rails网站,站点A和站点B。站点A是一个新闻网站,具有设备作为身份验证系统,并使用带有单点登录的Disqus评论内容。
Site B is another news website that doesn't have any user auth system and use Disqus to comment contents but without single sign on. 站点B是另一个新闻网站,没有任何用户身份验证系统,并且使用Disqus对其内容进行注释,但未进行单点登录。
I want to permit to users of the site A to SSO on Disqus on site B. Disqus SSO use this script 我想允许站点A的用户访问站点B上的Disqus上的SSO。Disqus SSO使用此脚本
def get_disqus_sso(user)
# create a JSON packet of our data attributes
data = {
'id' => user['id'],
'username' => user['username'],
'email' => user['email']
#'avatar' => user['avatar'],
#'url' => user['url']
}.to_json
# encode the data to base64
message = Base64.encode64(data).gsub("\n", "")
# generate a timestamp for signing the message
timestamp = Time.now.to_i
# generate our hmac signature
sig = OpenSSL::HMAC.hexdigest('sha1', DISQUS_SECRET_KEY, '%s %s' % [message, timestamp])
# return a script tag to insert the sso message
return "<script type=\"text/javascript\">
var disqus_config = function() {
this.page.remote_auth_s3 = \"#{message} #{sig} #{timestamp}\";
this.page.api_key = \"#{DISQUS_PUBLIC_KEY}\";
}
</script>"
end
Of course on site BI don't have any user, buy I think to create a private API on site A that return to a logged user "#{message} #{sig} #{timestamp}\\"
当然,网站BI上没有任何用户,请购买我想在网站A上创建一个私有API,该API返回登录用户"#{message} #{sig} #{timestamp}\\"
Is possible to create an API that return something using as auth method the session cookie created by Devise after a successful auth? 成功通过身份验证后,是否可以使用Devise创建的会话cookie作为auth方法来创建返回某些内容的API?
I think that's possible with using jwt. 我认为使用jwt是可能的。 the flow goes as follows. 流程如下。 (tested only with subdomains) (仅在子域中进行了测试)
user uses siteA(stores generated jwt token in a cookie) --> siteB uses the jwt token in cookie --> sends token to siteA for user data --> gets user data.
jwt authentication example jwt认证示例
note : only works for subdomains and don't forget to sign the cookie to prevent tampering. 注意 :仅适用于子域,并且不要忘记对cookie进行签名以防止篡改。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.