使用 API 密钥时如何跳过设计身份验证? [英] How to skip Devise authentication when using an API key?

问题描述

我在我的应用程序上使用 Devise，并想创建一个全局 API 密钥，无需登录即可访问任何人帐户的 JSON 数据.

I'm using Devise on my application and would like to create a global API key that can access JSON data of anyone's account without having to log-in.

例如，假设我的 API 密钥是 1234 并且我有两个用户创建了两个不同的餐厅.

For example, say my API Key is 1234 and I have two users who have created two different restaurants.

• 用户 1 - 餐厅 1 (/restaurants/1)
• 用户 2 - 餐厅 2 (/restaurants/2)

我打开一个全新的浏览器，没有登录任何东西，我传入我的 URL .../restaurants/2.json?api_key=1234，我应该可以访问无需以用户 2

And I open a brand new browser and haven't logged into anything and I pass into my URL .../restaurants/2.json?api_key=1234, I should be able to access the JSON data of that restaurant without having to log-in as User 2

最好的方法是什么?

我遵循了 Railscast #352 保护 API 所以我'我可以通过传入 API 密钥来访问 JSON 内容，但我必须登录才能查看任何内容.

I've followed the Railscast #352 Securing an API so I'm able to access JSON stuff by passing in the API key but I have to log-in to see anything.

我应该提到我也在使用 CanCan 作为角色，但不确定在这种情况下是否会发挥任何作用(不是双关语).

I should mention that I'm also using CanCan for roles but not sure if that'll play any role (pun not intended) in this situation.

我遵循了 Railscast #350 和 #352，它们教您如何创建 REST API 版本控制以及如何使用 API 密钥保护它.

I followed the Railscast #350 and #352 which teach you how to create REST API Versioning and how to secure it with an API Key.

这是我的控制器/api/v1/restaurants/restaurants_controller.rb 的样子:

Here's what my controllers/api/v1/restaurants/restaurants_controller.rb looks like:

module Api
  module V1
    class RestaurantsController < ApplicationController
      before_filter :restrict_access

      respond_to :json

      def index
        respond_with Restaurant.all
      end

      def show
        respond_with Restaurant.find(params[:id])
      end

    private

      def restrict_access
        api_key = ApiKey.find_by_access_token(params[:api_key])
        head :unauthorized unless api_key        
      end
    end
  end
end

而且我的 application_controller.rb 仍然有 before_filter :authenticate_user! 代码.

And my application_controller.rb still has the before_filter :authenticate_user! code in it.

我首先关注了 Railscast #350 on REST API Versioning 并移动了所有我对 /apps/api/v1/...

I first followed the Railscast #350 on REST API Versioning and moved all my JSON API calls to /apps/api/v1/...

然后，按照下面 Steve Jorgensen 的解决方案，确保我的 API 模块继承自 ActionController::Base 而不是 ApplicationController 以便它绕过 Devise 的 before_filter :authenticate_user! ApplicationController 中的代码.

Then, following Steve Jorgensen's solution below, made sure my API module inherited from ActionController::Base instead of ApplicationController so that it bypassed Devise's before_filter :authenticate_user! code within the ApplicationController.

所以，我的 Edit 2 代码看起来像这样:

So, my Edit 2 code when from looking like this:

module Api
  module V1
    class RestaurantsController < ApplicationController
    ...

到

module Api
  module V1
    #Replace 'ApplicationController' with 'ActionController::Base'
    class RestaurantsController < ActionController::Base
    ...

推荐答案

没有人提到的一个选项是为 API 拥有一组完全独立的控制器，这些控制器不继承自 ApplicationController.

One option no one has mentioned is to have a completely separate set of controllers for the API that do not inherit from ApplicationController.

我已经看到 API 控制器存在于诸如 /app/controllers/api/v1/somethings.rb 之类的文件中并且可以通过诸如 /api/v1 之类的路由访问的模式/某事.每个特定的 API 控制器都继承自从 ActionController::Base 继承的基本 API 控制器，因此不包括在 ApplicationController 上定义的任何过滤器.

I have seen the pattern used where API controllers live in files such as /app/controllers/api/v1/somethings.rb and are accessible via routes such as /api/v1/somethings. Each of the specific API controllers inherits from a base API controller that inherits from ActionController::Base, so does not include any of the filters defined on ApplicationController.

这篇关于使用 API 密钥时如何跳过设计身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！