在Mobile(Rails)中使用Devise gem身份验证的正确方法是什么
[英]What is the correct way to use Devise gem authentication with Mobile (Rails)
问题描述
I am using Devise gem for web authentication in my Application. 
我在我的应用程序中使用Devise gem进行Web身份验证。
Now i am about to write a mobile app for my Application which includes Sign in / Sign up process. 现在我即将为我的应用程序编写一个移动应用程序,其中包括登录/注册过程。
What is the correct way i should use to sign in a user and authenticate each call made by the user from the mobile app? 我应该使用哪种正确的方式来登录用户并验证用户从移动应用程序发出的每个电话?
Which of the below strategy is correct? 以下哪种策略是正确的? (i am not sure which method to follow to be more secure) (我不确定要采用哪种方法来保证更安全)
Note : You can view the above image in http://i.stack.imgur.com/I13uT.png (will be more clear) 注意:您可以在http://i.stack.imgur.com/I13uT.png中查看上面的图片(会更清楚)
FYI : I am using Titanium to develop mobile app and my backend server runs Rails app 仅供参考:我正在使用Titanium开发移动应用程序,我的后端服务器运行Rails应用程序
2 个解决方案
解决方案1
3 已采纳 2012-09-28 17:15:27
Model #1 isn't secure, you aren't passing any sort of authentication on subsequent requests to validate that the user is still who they say they are. 模型#1不安全,您没有在后续请求中传递任何类型的身份验证,以验证用户是否仍然是他们所说的人。
What I'm presuming you really want to know is, what's the best way to verify the user is who they say they are, after logging in. I've answered this previously, Exposing Rails/Devise Authentication to iOS application and the same answer applies here. 我认为你真正想知道的是,在登录后验证用户是谁的最佳方式是什么。我之前已经回答过这个问题, 在iOS应用程序中公开Rails /设计认证和相同的答案这里适用。
Using token authentication in Devise will match model #2, and is also the most secure since you exchange the username/password for a token rather than having to store their username and password and reuse it with every request. 在Devise中使用令牌身份验证将匹配模型#2,并且也是最安全的,因为您更换了令牌的用户名/密码,而不是必须存储其用户名和密码并在每个请求中重复使用它。
解决方案2
2 2012-09-28 17:32:19
I'm not sure how #1 is secure at all since none of the subsequent requests are signed in any way. 我不确定#1是如何安全的,因为后续请求都没有以任何方式签名。 If someone knew the file structure of your app they could just access it that way, right? 如果有人知道你的应用程序的文件结构,他们就可以这样访问它,对吧?
With Devise, you can set an attribute on your User model to allow users to be authenticated via token: 使用Devise,您可以在User模型上设置属性,以允许用户通过令牌进行身份验证:
class User < ActiveRecord::Base
devise :token_authenticatable
# there are other details and options on this, but this is the relevant piece
end
On each controller you can also verify that the user is authenticated by including before_filter :authenticate_user! 在每个控制器上,您还可以通过包含before_filter :authenticate_user!来验证用户是否已通过before_filter :authenticate_user! at the beginning: 在开始时:
class PostsController < ActionController::Base
before_filter :authenticate_user!
end
When making requests from the mobile app, include the auth_token in the request so that the Rails app can authenticate before responding. 在从移动应用程序发出请求时,请在请求中包含auth_token,以便Rails应用程序可以在响应之前进行身份验证。
Beyond authentication, you may also be interested in something like CanCan to handle authorization as well. 除了身份验证之外,您还可能对CanCan等感兴趣的事项感兴趣。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.