使用 authlogic_api 访问 Rails REST API [英] Using authlogic_api for Rails REST API access

问题描述

我正在为只能通过 REST 调用访问的 Steam 游戏编写 Rails 后端 API，因此不需要特定于用户的身份验证.我正在尝试为 Authlogic 实施 authlogic_api 插件 gem，它使用 api_key/signature 机制来限制访问.我已经实现了 rdocs 中概述的 ApplicationSession 和 ApplicationAccount 模型，但我不确定如何修改我的 ApplicationController 以限制访问.

I am writing a Rails back-end API for a Steam game that is only accessed via REST calls, so no user-specific authentication is required. I am trying to implement the authlogic_api plug-in for the Authlogic gem, which uses an api_key/signature mechanism to restrict access. I have implemented the ApplicationSession and ApplicationAccount models as outlined in the rdocs, but I'm not sure how to modify my ApplicationController to restrict access.

查看源代码，authlogic_api 插件似乎修改了来自 Authlogic 的 ActsAsAuthentic 和 Session 模块.但由于这本质上是单次访问"身份验证，需要在每个请求中传递 API 密钥和签名，因此我看不出会话是一个因素.

Looking at the source, it appears the authlogic_api plug-in modifies the ActsAsAuthentic and Session modules from Authlogic. But since this is essentially "single access" authentication, requiring the API key and signature to be passed on every request, I don't see how sessions would be a factor.

有没有人在他们的应用程序中成功实现了 authlogic_api?如果是这样，您会分享您设置 ApplicationController 的方法吗?

Has anyone successfully implemented authlogic_api in their apps? If so, would you share your approach for setting up your ApplicationController?

推荐答案

其实要简单得多.使用 Authlogic 示例中的所有代码有点矫枉过正 - 它主要管理存储会话详细信息，您不需要为应用程序(也称为客户端)会话执行此操作.每次请求都会重新确认客户端会话.

Actually, it's much simpler. Using all that code from the Authlogic example is somewhat overkill - it mainly manages storing session details, which you don't need to do for the Application (also known as Client) session. The Client session is re-confirmed at every request.

您只需要:

models\client.rb

class Client < ActiveRecord::Base
  acts_as_authentic do |config|
  end
end

models\client_session.rb

class ClientSession < Authlogic::Session::Base
  api_key_param 'app_key'
end

controllers\application_controller

before_filter :verify_client

def verify_client
  @client_session = ClientSession.new()
  unless @client_session.save # if client session not successfully created using the api_key and signature, render an error and block the request
    @error = {:description => "Couldn't validate client application."}
    render :template => 'errors/error.xml.builder'
  end
end

您还需要运行迁移来创建客户端表.并非以下所有字段都是必需的，但它们不会受到影响.

You also need to run a migration to create the clients table. Not all of the fields below are necessary, but they won't hurt.

class CreateClients < ActiveRecord::Migration
  def self.up
    create_table :clients do |t|
      # human fields
      t.string :name
      t.string :owner
      t.string :owner_email
      t.string :owner_phone
      # login fields
      t.string :api_key, :null => false
      t.string :api_secret, :null => false
      t.string :password_salt
      t.string :persistence_token
      t.string :perishable_token
      # automagical fields (courtesy of authlogic & authlogic_api)
      t.integer :failed_login_count
      t.datetime :last_request_at
      t.integer :request_count
      t.string :last_request_ip
      # automagical fields (courtesy of rails)
      t.timestamps
    end
  end

  def self.down
    drop_table :clients
  end
end

这篇关于使用 authlogic_api 访问 Rails REST API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！