为什么我无法使用devise_token_auth和curl退出? [英] Why am I unable to sign out using devise_token_auth and curl?

问题描述

我正在使用带有devise_token_auth的rails-api进行身份验证.我可以通过以下方式登录而没有问题:

I'm using rails-api with devise_token_auth for authentication. I am able to sign in without issue via:

curl -i http://localhost:3000/api/v1/auth/sign_in -F email="user@nowhere.org" -F password="password"

但是，注销失败并显示404，并显示错误找不到用户或未登录用户".通过:

However, sign out fails with a 404 and the error "User was not found or was not logged in." via:

curl -X DELETE -i http://localhost:3000/api/v1/auth/sign_out

我已经尝试过使用多种参数和标头值组合来修改此命令，例如:

I have tried variations of this command with multiple combinations of parameters and header values, such as:

curl -X DELETE -i http://localhost:3000/api/v1/auth/sign_out -F email="user@nowhere.org" -H Access-Token="Ae1yaTYLkSAgdhz3LtPAZg" -H Client="9AmYF6NS8tP6EOD5nPSuxw" -H Expiry="1443073493" -H Uid="user@nowhere.org" -H Token-Type="Bearer"

无济于事.类似构造的RSpec测试也将失败，并具有相同的响应和错误，并且日志表明该请求已通过DeviseTokenAuth :: SessionsController#destroy作为JSON处理.

To no avail. A similarly constructed RSpec test also fails with the same response and error, and the logs indicate the request was processed via DeviseTokenAuth::SessionsController#destroy as JSON.

当然，我实际上并没有使用curl进行身份验证；只需在编写相关代码之前验证请求结构即可.

Of course, I'm not actually using curl for authentication; just verification of the request structure before writing the relevant code.

推荐答案

回答我自己的问题，我没有随sign_out请求正确返回某些sign_in响应标头值.

Answering my own question, I wasn't returning certain sign_in response header values correctly with the sign_out request.

我找到了相关的帖子，其中指出了一些关键标头.技巧是从sign_in响应中捕获访问令牌，客户端和uid标头值，然后将它们作为参数包含在sign_out请求中:

I found a related post which pointed out some of the critical headers. The trick is to capture the access-token, client, and uid header values from the sign_in response, then include them as parameters in the sign_out request:

curl -i -X DELETE http://localhost:3000/api/v1/auth/sign_out -F access-token="Ae1yaTYLkSAgdhz3LtPAZg" -F client="9AmYF6NS8tP6EOD5nPSuxw" -F uid="user@nowhere.org"

这是一个RSpec测试，用于说明和验证:

Here's an RSpec test to illustrate and verify:

require 'rails_helper'

RSpec.describe "Authentication", type: :request do

  it "logs a user out" do
    user = User.create!(
      name: "Some Dude", 
      email: "user@nowhere.org",
      password: "password", 
      confirmed_at: Date.today
    )

    # initial sign in to generate a token and response
    post api_v1_user_session_path, {
      email: user.email, 
      password: user.password
    }

    expect(user.reload.tokens.count).to eq 1

    # sign out request using header values from sign in response
    delete destroy_api_v1_user_session_path, {
      "access-token": response.header["access-token"], 
      client: response.header["client"], 
      uid: response.header["uid"]
    }

    response_body = JSON.load(response.body)
    expect(response_body["errors"]).to be_blank
    expect(response.status).to eq 200
    # user token should be deleted following sign out
    expect(user.reload.tokens.count).to eq 0
  end

end

这篇关于为什么我无法使用devise_token_auth和curl退出?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！