Allowing rails api to return json

Question

I'm lost here- don't even really know what questions to ask.

I built an api as described here : http://railscasts.com/episodes/350-rest-api-versioning?view=asciicast

It's on a site that requires login.

I can access the api through the browser when I am logged in, no problem. Here are my routes:

## API
namespace :api do
  namespace :v1 do
    resources :users, :sessions
  end
end

What I've been asked to do is to make it so that an outside party can request the json with a Api key and optional query parameters and userId

I've tried to curl the site (https) and get redirected to a logout, even with username and password.

My boss suggested a public form on the root url that accepts the userId, apikey and params, and can be curled and will return the data via the parameters posted from curl.

I have no idea how to do this, or even to allow the data to be called without loggin in. I looked at this other screen cast http://railscasts.com/episodes/353-oauth-with-doorkeeper (it's a paid version) but his interactions are allowing another rails app to interact with his original app.

Basically, where should I look for information on how to accomplish this? Any other suggestions, or more information that I could give to make my question more clear?

Thank you for your time.

Answer 1

More RailsCasts! Ryan Bates has you covered in http://railscasts.com/episodes/352-securing-an-api?view=asciicast

So to boil it down:

• you need to determine if the clients calling your API need to identify themselves, or if they also need to authenticate somehow
• you need to determine if the users of the client (that's calling your API) need to authenticate with your system -- that is, are there "users"?

Some APIs allow callers to pass an API Key as part of the query; others require a more sophisticated process of authenticating, typically OAuth, which is a little trickier.

Some APIs provide user-specific information, in which case you'll need a way to make sure the user can log in, change their password, recall a forgotten password and so on. There's a good RailsCast for that, too (or you can use the Devise gem, although I wouldn't recommend it if you're mainly implementing an API -- not Devise's strong suit).

I am guessing you know this part, but all curl does is simulate the HTTP requests your clients will be making to your API, and (with the --include option) can show you the information about the response returned -- headers, cookies, and so on.

Google "rails api authentication" for more.