切换每个控制器动作的Devise认证模块 [英] Toggling Devise authentication modules per controller action

问题描述

我有一个Rails网站，使用 Devise 进行身份验证。我有一个页面（ PhotosController＃create ），需要验证没有Cookie的用户。我正在使用Devise的：token_authenticatable 模块进行此操作，如果提供的令牌与服务器端存储的令牌匹配，则会对用户进行身份验证。 （如果您好奇，请参阅这个SO问题）。

I have a Rails site that uses Devise for authentication. I have one page (PhotosController#create) that needs to authenticate users without cookies. I'm doing this with the :token_authenticatable module of Devise, which authenticates a user if the supplied token matches the token stored on the server side. (See this SO question if you're curious.)

在完成行动之后到期或更改令牌的良好策略。这样可以防止攻击者嗅探令牌并将其用作用户成功验证。但是，在我的情况下，我不能过期或更改令牌，因为客户端照片上传器上传了多张照片，每张照片都会导致单独的POST到 PhotosController＃create 。因此，如果在成功创建后过期令牌，则第二，第三等上传将失败。

It's good policy to expire or change the token after the action is complete. This prevents an attacker from sniffing the token and using it to successfully authenticate as the user. However, in my case, I can't expire or change the token because the client-side photo uploader uploads multiple photos, each resulting in a separate POST to PhotosController#create. So if I expire the token after a successful create, the second, third, etc. uploads will fail.

设计模块在模型级别指定（例如用户模型）。我需要更多的粒度。

Devise modules are specified at the model level (e.g. the User model). I need more granularity than this.

我的问题是，如何启用：token_authenticatable module 只有单个控制器的单个动作？或者等效地，如何为一个操作禁用所有控制器和 的：token_authenticatable 模块？

My question is, how do I enable the :token_authenticatable module only for a single action of a single controller? Or, equivalently, how do I disable the :token_authenticatable module for all controllers and actions except for one action?

推荐答案

作为一个设计插件（devise_rpx_connectable）的开发者，我很乐意回答您的问题。

As the developer of one devise plugin (devise_rpx_connectable) I'm happy to answer your question.

TokenAuthenticatable是一个Devise策略，您可以在此处阅读其代码：

TokenAuthenticatable is one Devise strategy, you can read its code here :

https://github.com/plataformatec/devise/blob/master/lib/devise/strategies/token_authenticatable.rb

如您所见，每个设计策略都有效？和/或valid_request？被调用以确定策略是否应启用的方法。所以你可以轻松地根据需要覆盖这个策略，还可以只覆盖valid_request？方法。只需在初始化程序中加载这样的代码（当然，加载当然）：

As you can see, each devise strategy has a valid? and/or valid_request? method that is called to determine if the strategy should be enabled. So you can easily override this strategy for your needs, or you can also only override the valid_request? method. Just load this kind of code in an initializer (AFTER devise is loaded of course) :

module Devise
  module Strategies
    class TokenAuthenticatable < Authenticatable
      private
      def valid_request?
        params[:controller] == "photos" && params[:action] == "create"
      end
    end
  end
end

我没有测试过这个，我不知道是否可以开箱即用，但我希望你看到这一点，如果这不行，使用调试器，或写你的自己的Devise策略（见我的插件，很容易理解）等。

I haven't tested this, I don't know if that works out of the box but I hope you see the point, if that doesn't work, use a debugger, or write your own Devise Strategy (see my plugin, it's easy to understand), etc.

此外，当您使用此策略时，用户将被存储在会话中，除非您使用stateless_token选项，请参阅：
https： //github.com/plataformatec/devise/blob/master/lib/devise/models/token_authenticatable.rb#L27

Moreover, when you use this strategy, the user will be stored in session unless you use the stateless_token option, see : https://github.com/plataformatec/devise/blob/master/lib/devise/models/token_authenticatable.rb#L27

这篇关于切换每个控制器动作的Devise认证模块的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！