在设计之上滚动令牌auth mechanisim [Rails 4]

时间:2013-10-19 10:42:16

标签: ruby-on-rails api authentication devise ruby-on-rails-4

阿罗哈,

在发现Devise的'token_authenticatable已被折旧后,我现在正试图推出自己的解决方案,但是我认为我遇到了设计'sign_in方法的问题:

规范:

context "with an admin user" do
    before(:each) { @user = FactoryGirl.create(:user, account_type: 'admin') }
    it "should respond with a 200 status" do
        post :verify, "token"=> @user.authentication_token
        response.status.should eq(200)
    end
 end

错误:

1) UsersController#verify with an admin user should respond with a 200 status
     Failure/Error: post :verify, "token"=> @user.authentication_token
     NoMethodError:
       undefined method `user' for nil:NilClass
     # ./app/controllers/application_controller.rb:24:in `authenticate_user_from_token!'
     # ./spec/controllers/users_controller_spec.rb:39:in `block (4 levels) in <top (required)>'

application_controller.rb:

class ApplicationController < ActionController::Base
  # If there's a token present we're using the api authentication
  # mechanism, else we fall back to devise auth
  before_filter :authenticate_user_from_token!, :authenticate_user!

  # Setup an AccessDenied error
  class AccessDenied < StandardError; end
  # setup a handler
  rescue_from AccessDenied, :with => :access_denied


  private

  # API requests should be made to the resource path
  # with the requesters token as params.
  #
  # This method extracts the params, checks if they are
  # valid and then signs the user in using devise' sign_in method 

  def authenticate_user_from_token!
    user = User.find_by_authentication_token params[:token]

    if !user.nil? && user.admin?
      # store: false ensures we'll need a token for every api request
      sign_in user, store: false # this is the line the spec complains about
    else
      raise ApplicationController::AccessDenied
    end
  end

  def access_denied
    render :file => "public/401", :status => :unauthorized
  end


end

users_controller.rb

class UsersController < ApplicationController

  [snip]

  # We use this 'verify' method to provide an endpoint
  # for clients to poll for token verification
  # If the before filter rejects the user/token
  # they recieve a 401, else we respond with a 200
  # and the user params for verification on the remote app
  def verify
    user = User.find_by_authentication_token params[:token]
    render json: user
  end
end

我不知道错误提到的'user'方法在哪里被调用,也不知道它被调用的对象是什么。

1 个答案:

答案 0 :(得分:0)

我发现Authy的devise module非常易于使用/修改基于令牌的身份验证,而不是从头开始自己动手。