使用 API 密钥时如何跳过设计身份验证? [英] How to skip Devise authentication when using an API key?
问题描述
我在我的应用程序上使用 Devise,并想创建一个全局 API 密钥,无需登录即可访问任何人帐户的 JSON 数据.
I'm using Devise on my application and would like to create a global API key that can access JSON data of anyone's account without having to log-in.
例如,假设我的 API 密钥是 1234
并且我有两个用户创建了两个不同的餐厅.
For example, say my API Key is 1234
and I have two users who have created two different restaurants.
- 用户 1 - 餐厅 1 (/restaurants/1)
- 用户 2 - 餐厅 2 (/restaurants/2)
我打开一个全新的浏览器,没有登录任何东西,我传入我的 URL .../restaurants/2.json?api_key=1234
,我应该可以访问无需以用户 2
And I open a brand new browser and haven't logged into anything and I pass into my URL .../restaurants/2.json?api_key=1234
, I should be able to access the JSON data of that restaurant without having to log-in as User 2
最好的方法是什么?
我遵循了 Railscast #352 保护 API 所以我'我可以通过传入 API 密钥来访问 JSON 内容,但我必须登录才能查看任何内容.
I've followed the Railscast #352 Securing an API so I'm able to access JSON stuff by passing in the API key but I have to log-in to see anything.
我应该提到我也在使用 CanCan 作为角色,但不确定在这种情况下是否会发挥任何作用(不是双关语).
I should mention that I'm also using CanCan for roles but not sure if that'll play any role (pun not intended) in this situation.
我遵循了 Railscast #350 和 #352,它们教您如何创建 REST API 版本控制以及如何使用 API 密钥保护它.
I followed the Railscast #350 and #352 which teach you how to create REST API Versioning and how to secure it with an API Key.
这是我的控制器/api/v1/restaurants/restaurants_controller.rb 的样子:
Here's what my controllers/api/v1/restaurants/restaurants_controller.rb looks like:
module Api
module V1
class RestaurantsController < ApplicationController
before_filter :restrict_access
respond_to :json
def index
respond_with Restaurant.all
end
def show
respond_with Restaurant.find(params[:id])
end
private
def restrict_access
api_key = ApiKey.find_by_access_token(params[:api_key])
head :unauthorized unless api_key
end
end
end
end
而且我的 application_controller.rb
仍然有 before_filter :authenticate_user!
代码.
And my application_controller.rb
still has the before_filter :authenticate_user!
code in it.
我首先关注了 Railscast #350 on REST API Versioning 并移动了所有我对 /apps/api/v1/...
I first followed the Railscast #350 on REST API Versioning and moved all my JSON API calls to /apps/api/v1/...
然后,按照下面 Steve Jorgensen 的解决方案,确保我的 API 模块继承自 ActionController::Base
而不是 ApplicationController
以便它绕过 Devise 的 before_filter :authenticate_user!
ApplicationController
中的代码.
Then, following Steve Jorgensen's solution below, made sure my API module inherited from ActionController::Base
instead of ApplicationController
so that it bypassed Devise's before_filter :authenticate_user!
code within the ApplicationController
.
所以,我的 Edit 2 代码看起来像这样:
So, my Edit 2 code when from looking like this:
module Api
module V1
class RestaurantsController < ApplicationController
...
到
module Api
module V1
#Replace 'ApplicationController' with 'ActionController::Base'
class RestaurantsController < ActionController::Base
...
推荐答案
没有人提到的一个选项是为 API 拥有一组完全独立的控制器,这些控制器不继承自 ApplicationController
.
One option no one has mentioned is to have a completely separate set of controllers for the API that do not inherit from ApplicationController
.
我已经看到 API 控制器存在于诸如 /app/controllers/api/v1/somethings.rb
之类的文件中并且可以通过诸如 /api/v1 之类的路由访问的模式/某事
.每个特定的 API 控制器都继承自从 ActionController::Base
继承的基本 API 控制器,因此不包括在 ApplicationController
上定义的任何过滤器.
I have seen the pattern used where API controllers live in files such as /app/controllers/api/v1/somethings.rb
and are accessible via routes such as /api/v1/somethings
. Each of the specific API controllers inherits from a base API controller that inherits from ActionController::Base
, so does not include any of the filters defined on ApplicationController
.
这篇关于使用 API 密钥时如何跳过设计身份验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!