我正在关注this tutorial以使用Android设计来创建用户身份验证。但是,设计删除了:token_authenticable
因此,我正在使用他们在this gist中引用的内容。但是,我遇到了一些我不知道如何解决的问题。
这是代码。
用户模型中的。
before_save :ensure_authentication_token
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable,
:confirmable
def ensure_authentication_token
if authentication_token.blank?
self.authentication_token = generate_authentication_token
end
end
def skip_confirmation!
self.confirmed_at = Time.now
end
private
def generate_authentication_token
loop do
token = Devise.friendly_token
break token unless User.where(authentication_token: token).first
end
end
在应用程序控制器中:
protect_from_forgery with: :exception
before_filter :authenticate_user_from_token!
private
# For this example, we are simply using token authentication
# via parameters. However, anyone could use Rails's token
# authentication features to get the token from a header.
def authenticate_user_from_token!
user_token = params[:user_token].presence
user = user_token && User.find_by_authentication_token(user_token.to_s)
if user
# Notice we are passing store false, so the user is not
# actually stored in the session and a token is needed
# for every request. If you want the token to work as a
# sign in token, you can simply remove store: false.
sign_in user, store: false
end
end
在SessionController API中
class Api::SessionsController < Devise::SessionsController
skip_before_filter :verify_authenticity_token,
:if => Proc.new { |c| c.request.format == 'application/json' }
before_action :authenticate_user_from_token!, only: [:create]
respond_to :json
def create
warden.authenticate!(:scope => resource_name, :recall => "#{controller_path}#failure")
render :status => 200,
:json => { :success => true,
:info => t("devise.sessions.signed_in"),
:data => { :auth_token => current_user.authentication_token } }
end
def destroy
warden.authenticate!(:scope => resource_name, :recall => "#{controller_path}#failure")
current_user.update_column(:authentication_token, nil)
render :status => 200,
:json => { :success => true,
:info => t("devise.sessions.signed_out"),
:data => {} }
end
端
当我执行curl登录时:
curl -v -H 'Content-Type: appl-H 'Accept: application/json' -X POST http://localhost:3000/api/sessions -d "{\"user\":{\"email\":\"[FILTERED]\",\"password\":\"123123123\"}}"
以下是来自服务器的日志:
Started POST "/api/sessions" for 127.0.0.1 at 2015-01-23 13:47:05 +1300
Processing by Api::SessionsController#create as JSON
Parameters: {"user"=>{"email"=>"[FILTERED]", "password"=>"[FILTERED]"}, "session"=>{"user"=>{"email"=>"[FILTERED]", "password"=>"[FILTERED]"}}}
User Load (0.1ms) SELECT "users".* FROM "users" WHERE "users"."email" = '[FILTERED]' ORDER BY "users"."id" ASC LIMIT 1
(0.1ms) begin transaction
SQL (0.2ms) UPDATE "users" SET "current_sign_in_at" = ?, "last_sign_in_at" = ?, "sign_in_count" = ?, "updated_at" = ? WHERE "users"."id" = 1 [["current_sign_in_at", "2015-01-23 00:47:05.981119"], ["last_sign_in_at", "2015-01-23 00:28:49.300907"], ["sign_in_count", 3], ["updated_at", "2015-01-23 00:47:05.981736"]]
(103.8ms) commit transaction
Completed 200 OK in 185ms (Views: 0.4ms | ActiveRecord: 104.9ms)
当我执行curl注销时:
curl -v -H 'Content-Type: application/json' -H 'Accept: application/json' -X DELETE http://localhost:3000/api/sessions/?auth_token=TbQXZJtngfJqZK6HkHKF
这是服务器日志:
Started DELETE "/api/sessions/?auth_token=TbQXZJtngfJqZK6HkHKF" for 127.0.0.1 at 2015-01-23 13:50:22 +1300
Processing by Api::SessionsController#destroy as JSON
Parameters: {"auth_token"=>"TbQXZJtngfJqZK6HkHKF", "session"=>{}}
Filter chain halted as :verify_signed_out_user rendered or redirected
Completed 204 No Content in 1ms (ActiveRecord: 0.0ms)
当我在SessionController API中添加skip_filter:verify_signed_out_user, only:[:destroy]
时,服务器日志将是:
Started DELETE "/api/sessions/?auth_token=TbQXZJtngfJqZK6HkHKF" for 127.0.0.1 at 2015-01-23 13:58:55 +1300
Processing by Api::SessionsController#destroy as JSON
Parameters: {"auth_token"=>"TbQXZJtngfJqZK6HkHKF", "session"=>{}}
Completed 401 Unauthorized in 1ms
我不知道为什么它返回204没有内容.... 如果有人对发生的事情有所了解。非常感谢。 欢呼声。
答案 0 :(得分:3)
成功销毁资源的HTTP状态为204.有关详细信息,请查看http://httpstatus.es/204。
当您跳过过滤器时,它会为您提供401,即对资源进行取消授权的HTTP状态。这是正确的,因为在破坏结果之前要求进行身份验证。
一切似乎都是正确的,我看不出任何问题。