每次切换控制器动作设计验证模块 [英] Toggling Devise authentication modules per controller action
问题描述
我有一个使用设计用于身份验证的Rails站。我有一个网页( PhotosController#创建
),需要无Cookie来验证用户身份。我与操作:制定,如果提供的令牌存储在服务器端标记与该用户进行身份验证的token_authenticatable
模块。 (请参见这太问题如果你好奇。)
I have a Rails site that uses Devise for authentication. I have one page (PhotosController#create
) that needs to authenticate users without cookies. I'm doing this with the :token_authenticatable
module of Devise, which authenticates a user if the supplied token matches the token stored on the server side. (See this SO question if you're curious.)
这是很好的政策到期或更改令牌的动作完成后。这prevents从嗅探令牌,并用它作为用户成功验证的攻击者。然而,在我的情况,我不能过期或改变令牌,因为客户端上传照片上传多张照片,每产生一个单独的POST到 PhotosController#创建
。所以,如果我到期令牌后成功创建,第二,第三等上传会失败。
It's good policy to expire or change the token after the action is complete. This prevents an attacker from sniffing the token and using it to successfully authenticate as the user. However, in my case, I can't expire or change the token because the client-side photo uploader uploads multiple photos, each resulting in a separate POST to PhotosController#create
. So if I expire the token after a successful create, the second, third, etc. uploads will fail.
设计模块在模型层(例如用户
模型)指定。我需要更细粒度不止这些。
Devise modules are specified at the model level (e.g. the User
model). I need more granularity than this.
我的问题是,我该如何启用:token_authenticatable
模块的仅作为单个控制器的一个动作?或者等价地,我怎么禁用:对于除所有控制器和动作的 token_authenticatable
模块的一个动作
My question is, how do I enable the :token_authenticatable
module only for a single action of a single controller? Or, equivalently, how do I disable the :token_authenticatable
module for all controllers and actions except for one action?
推荐答案
作为一个色器件插件(devise_rpx_connectable)我很高兴回答你的问题的开发商。
As the developer of one devise plugin (devise_rpx_connectable) I'm happy to answer your question.
TokenAuthenticatable一个制定的策略,你可以在这里阅读其code:
TokenAuthenticatable is one Devise strategy, you can read its code here :
<一个href=\"https://github.com/plataformatec/devise/blob/master/lib/devise/strategies/token_authenticatable.rb\">https://github.com/plataformatec/devise/blob/master/lib/devise/strategies/token_authenticatable.rb
正如你所看到的,每个色器件战略有一个有效的?和/或valid_request?方法,该方法被调用来确定是否策略应该启用。所以,你可以很容易地覆盖这个策略为您的需求,或者你也可以只覆盖valid_request?方法。只需加载这类code在一个初始化(色器件后载入当然):
As you can see, each devise strategy has a valid? and/or valid_request? method that is called to determine if the strategy should be enabled. So you can easily override this strategy for your needs, or you can also only override the valid_request? method. Just load this kind of code in an initializer (AFTER devise is loaded of course) :
module Devise
module Strategies
class TokenAuthenticatable < Authenticatable
private
def valid_request?
params[:controller] == "photos" && params[:action] == "create"
end
end
end
end
我没有测试过这一点,我不知道这是否开箱,但我希望你能看到这一点,如果不工作,使用调试器,或编写自己的设计策略(见我插件,很容易理解),等等。
I haven't tested this, I don't know if that works out of the box but I hope you see the point, if that doesn't work, use a debugger, or write your own Devise Strategy (see my plugin, it's easy to understand), etc.
此外,当您使用此策略,用户将被存储在会话,除非您使用stateless_token选项,请参阅:
<一href=\"https://github.com/plataformatec/devise/blob/master/lib/devise/models/token_authenticatable.rb#L27\">https://github.com/plataformatec/devise/blob/master/lib/devise/models/token_authenticatable.rb#L27
Moreover, when you use this strategy, the user will be stored in session unless you use the stateless_token option, see : https://github.com/plataformatec/devise/blob/master/lib/devise/models/token_authenticatable.rb#L27
这篇关于每次切换控制器动作设计验证模块的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!