Comments (10)
Hi @shedd
About the question on SO that you referred to:
I had no SO account and I'm not authorized by SO to comment just after registering, but I wonder: isn't ukson forgetting to provide the user_email
param? Token authentication can't be performed with the only auth_token
. (In fact, the point of the José Valim's gist is to explain how to perform that e-mail cross-checking when implementing token authentication.)
You setup is more complex, and I'll take a closer look at it as soon as I can. If you can, try speaking with ukson!
from simple_token_authentication.
@gonzalo-bulnes nice spot! Yep, I think you're right about the SO question. I replied giving your tip: http://stackoverflow.com/questions/24092791/ruby-on-rails-curl-delete-token-authentication/24394116#24394116
Let me know if you have any thoughts on what my issue is. I am passing the email and the token and it works everywhere else, just not Session#destroy
Thanks in advance!
from simple_token_authentication.
Hey @gonzalo-bulnes - any thoughts on why this isn't working? Thanks so much!
from simple_token_authentication.
Hi @shedd, I'm sorry I haven't correctly looked at your issue. I'll make my best to do it tomorrow morning. Thanks for your patience!
from simple_token_authentication.
@gonzalo-bulnes sorry to pull this back up again, but we're still having issues with this. Just wondering if you have any ideas?
from simple_token_authentication.
Sorry @shedd, I kind of forgot your issue : /
One question: why do you add the authenticate_entity_from_token!
filter? Simple Token Authentication adds authenticate_user_from_token
(no bang !
because the fallback is disabled) in you case.
from simple_token_authentication.
The namespace could have introduced unexpected behaviour, but since you mention that token authentication is behaving well otherwise, I guess the devise_for
path: users
option handles it properly.
from simple_token_authentication.
@gonzalo-bulnes hey, thanks for the response!
It looks like I had made some changes since when I originally posted this in June.
My API controller now only has:
acts_as_token_authentication_handler_for User, fallback_to_devise: false
before_action :authenticate_user!
skip_filter :authenticate_user!, only: [:connection_test]
And I'm doing this filtering in the Sessions controller:
prepend_before_filter :require_no_authentication, only: [:create]
skip_filter :authenticate_entity_from_token!, only: [:create]
skip_filter :authenticate_user!, only: [:create]
before_action :ensure_params_exist
skip_before_action :verify_authenticity_token
I've updated the sample code above.
So I think the confusion about the authenticate_entity_from_token!
call should be resolved.
Still getting 401s from my tests, though.
And yes, the namespacing seems to be working fine.
from simple_token_authentication.
Ok, I figured out what I was missing.
The sample code that I based this login/logout controller on had this class definition:
class Api::V1::SessionsController < Devise::RegistrationsController
When I was going through this again, I thought that seemed a bit off - using the Registrations controller for login and logout? Amazingly, this actually worked, though - for login anyway.
Looking at the Devise code, I decided to try this:
class Api::V1::SessionsController < Devise::SessionsController
As long as I did a skip_filter :verify_signed_out_user, only: [:destroy]
this kind of worked. It no longer threw a 401 error.
But there was still no current_user in the scope of the destroy
method.
Then it struck me - it should be class Api::V1::SessionsController < Api::V1::ApiController
- inherit from the API controller, where the acts_as_token_authentication_handler_for
is setup. No wonder it wasn't authenticated.
Changing that fixed the problem.
Now I have:
class Api::V1::SessionsController < Api::V1::ApiController
skip_filter :authenticate_entity_from_token!, only: [:create]
skip_filter :authenticate_user!, only: [:create]
skip_before_action :verify_authenticity_token
def create
# remove the build_resource call here from my earlier example
...
end
def destroy
sign_out(current_user)
head :no_content
end
end
Sorry, this was my mistake. Thanks for the help!
from simple_token_authentication.
Nice, I'm glad the discussion gave you an occasion to take a different look at the code. Thanks for the details about your setup too! I'm planning to document some interesting use cases, and your experience is very helpful.
Regards!
from simple_token_authentication.
Related Issues (20)
- Is that gem work with API? HOT 4
- Mongoid does support Rails 6 now/soon HOT 3
- uninitialized constant SimpleTokenAuthentication::Adapters HOT 5
- Gem doesn't protect data?
- separate registration and signin so no token is received by client when registering
- how to auth 2 different models with same alias ?
- acts_as_token_authenticatable causes a DEPRECATION WARNING
- Q: How to do not require user_email? HOT 1
- Getting 401 unauthorized Error
- Where should I store the token on the frontend? HOT 3
- Entering fallback! with token_correct? set to true HOT 1
- 406 Errors on Authentication Test
- The mongoid range of supported versions needs review
- Discussions are set up! HOT 1
- Identify support requests, feature requests in issues and pull requests HOT 1
- Update the contributing guidelines to mention Discussions etc.
- Add (actual) example of maintenance trade-off for discussion HOT 1
- split responsibilities of acts_as_token_authentication_handler_for method HOT 1
- Rails 7 support? HOT 30
- Can we use JWT as a user token?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from simple_token_authentication.