设备和 iphone 应用程序之间的 HTTP 身份验证 [英] HTTP authentication between devise and iphone app

问题描述

我是 ruby​​ on rails 的新手，但我想将我的 SQlite 数据库中的数据从我的 iphone 应用程序发送到 rails web 应用程序.就像一个同步"服务.

I'm new to ruby on rails but I want to send the data from my SQlite database from my iphone app to the rails web app. Like a "sync" service.

我正在使用 devise 进行 Web 应用程序的身份验证.我启用了基本的 HTTP 身份验证，并且可以进入网站以获取 xml 或 json 数据.当我将帖子标题设置为 JSON 并使用用户名和密码时，我还可以将数据上传到网站.

I'm using devise for authentication for the web app. I enabled basic HTTP authentication and I can curl into the website for xml or json data. I can also upload data to the website when I set the post headers to JSON and with username and password.

这就是我被卡住的地方.

Here's where I'm stuck.

1) 如何让用户在第一次登录后保持登录状态?每次向网站发送数据时都使用 http 身份验证吗?我已阅读有关令牌身份验证的信息，但不确定如何使用它.

1) How do I keep the user signed in after the 1st login? Do I use http authentication every time I send data to the website? I've read about token authentication but I'm not sure how to use it.

2) 我可以使用正确的方式将 JSON 数据发布到 http://localhost:3000/example 之类的东西用户名和密码.但是，如果用户名和密码不正确，它将返回 HTML 内容.我是否必须编写一些返回有关登录成功/失败的 json 数据的内容?

2) I can post JSON data to something like http://localhost:3000/example with the correct username and password. However, it returns the HTML content if the username and passowrd is incorrect. Do I have to write something that returns json data about login success/fialure?

3) 在我的 iphone 应用程序和我的网络应用程序之间进行通信.我在 Web 应用程序端编写 RESTful API 是否正确?我需要使用活动资源吗?

3) To communicate between my iphone app and my web app. Am I correct in writing a RESTful API on the web app side? Do I need to use active resources?

我真的很关注这一切如何运作的整体大局.谢谢！

I'm really stuck on the overall big picture of how all this works. Thanks!

推荐答案

有很多方法可以做到这一点.为了让 Devise 将错误返回到我可以解释的 iphone 应用程序(例如 401)，我所做的是创建一个自定义失败应用程序:

There's many ways you can do this. What I did to get Devise to return errors to my iphone app that I could interpret (e.g. 401) was create a custom failure app:

# config/initializers/devise.rb
config.warden do |manager|
  manager.failure_app   = CustomFailure
end

# config/initializers/custom_failure.rb
class CustomFailure < Devise::FailureApp     
  def respond
    unless request.format.to_sym == :html
  http_auth
    else
  super
end
  end
end

否则无论登录信息是否正确，Devise 只会返回带有重定向响应代码的 HTML.

Otherwise Devise just returns HTML with a redirect response code regardless of whether the login information was correct or incorrect.

由于我的应用程序要求用户对我的 rails 后端进行身份验证，因此我实现了一个简单的登录系统，如下所示:

Since my app required users to authenticate against my rails backend, I implemented a simple login system like this:

#app/controllers/pages_controller.rb
before_filter :authenticate_user!, :only => [:login]
ssl_required :login # you have to set up ssl and ssl_requirement


def login
  @user = current_user
  respond_to do |format|
    format.html {render :text => "#{@user.id}"} 
    format.xml {render :text => "#{@user.id}" }   
  end
end

#config/routes.rb
match '/login',       :to => 'pages#login'

然后在 iphone 应用程序中，您可以通过像这样向/login 发送 GET 请求来进行验证(我使用 ASIHTTPRequest 因为它很棒):

Then in the iphone app you can validate by sending a GET request to /login like this (I use ASIHTTPRequest because it's awesome):

- (void) validate_login:(NSString*)name :(NSString*)pwd
{   
    NSURL *login_url = [NSURL URLWithString:@"https://mysite.com/login"];
    ASIHTTPRequest *request = [ASIHTTPRequest requestWithURL:login_url];
    [request setDelegate:self];
    [request setUsername:name];
    [request setPassword:pwd];  
    [request addRequestHeader:@"Accept" value:@"application/xml"]; 
    [request startAsynchronous];    
}

- (void)requestFinished:(ASIHTTPRequest *)request
{
if ([request responseStatusCode] != 200) {
  [self requestFailed:request];
}
    else {
  // authentication successful, store credentials
        NSUSerDefaults* defaults = [NSUserDefaults standardUserDefaults];
    [defaults setValue:[request username] forKey:@"username"];
        [defaults setValue:[request password] forKey:@"password"];
    }
}


- (void)requestFailed:(ASIHTTPRequest *)request
{
    NSLog(@"failed with error: %d %@", [request responseStatusCode], [error localizedDescription]);
    // tell user incorrect username/password    
}

然后，无论何时您需要将数据发布到应用程序，您都可以从用户默认值中检索用户名和密码，并将它们附加到请求中.如果您需要更安全，可以将它们存储在钥匙串中.

Then whenever you need to post data to the app you can retrieve the username and password from user defaults and attach them to the request. If you need to be more secure, you can store them in the Keychain.

我相信有更好的方法可以做到这一点，但希望这能让您思考 API 身份验证策略.

I'm sure there are better ways to do this, but hopefully this can get you thinking about API authentication strategies.

这篇关于设备和 iphone 应用程序之间的 HTTP 身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！