什么是用户身份验证的最佳方法与设计3和骨干? [英] What is the best way to user authentication with Devise 3 and Backbone?
问题描述
我在这个堆栈的工作:
- 核心基于REST的API使用Rails 4,并制定3.2
- 与骨干另一应用程序/姿态
我看了很多文章,手册,计算器话题,谷歌随机的结果,博客等,但pcated都很德$ P $。
I have read many articles, manuals, stackoverflow topics, google random results, blogs, etc, but are all very deprecated.
使用实际的做法 (TL;博士在这里)的我只需要在不同的服务器上的立场得到设计3和骨干之间的真正的会话,并抱着它,就像两个独立的项目。远程登录,你知道的。
Using a practical approach (tl;dr here) I just need get a real session between Devise 3 and Backbone in different server stances and holding it, like two separate projects. Remote login, you know.
我真的坚持了,所以我将大大AP preciate您的建议。
I'm really stuck with that so I would greatly appreciate your suggestions.
感谢你们。
推荐答案
我个人有在我的项目相同的情况下与角,而不是作为骨干前端和Rails 4 API与设计。我会尝试,我得到了你的问题正确的假设总结东西给你。
Personally I have the same situation in my project with Angular instead of Backbone as a front-end and Rails 4 API with Devise. I will try to sum things up for you in the assumption that I got your question right.
要在你的情况下,您需要确保会议正常工作是:
To work correctly with the sessions in your scenario you need to be sure that:
- 浏览器正确处理通信(即他们不与您的数据混乱,因为请求不符合政策CORS)
- 和,您的要求打通Rails的CSRF保护
请阅读这篇文章关于CORS 。如果你不熟悉CORS的文章应该提供我的回答必要的背景。关于CSRF保护一些信息是这里
Please, read this article about CORS. If you are not familiar with CORS the article should provide necessary background for my answer. Some info about CSRF protection is here
下面是您的方案一步一步的:
Here is your scenario step-by-step:
- Backbone.js的发送
GET
的要求,如的http:// yourserver /登入
- Rails的服务器发送将存储在浏览器和CSRF令牌会话cookie,它可以某处你的主干应用程序中保存。
- Backbone.js的发送
使用用户凭据(名称,密码),并在头CSRF令牌和饼干当前擅自会后
请求。至关重要的是,请求包含会话信息。否则,它将on Rails的一侧被授予不同的CSRF令牌,你会得到警告:无法验证令牌CSRF真实性
的消息 - Backbone.js的获得授权会议回来,如果凭据是正确的。
- Backbone.js sends
GET
request such ashttp://yourserver/signin
- Rails Server sends session cookie that will be stored in the browser and CSRF token, which can be stored somewhere within your Backbone application.
- Backbone.js sends
POST
request with user credentials (name, password) and CSRF token in headers and current unauthorized session in cookies. It is crucial that request contains session information. Otherwise it will be granted different CSRF token on Rails side and you will getWARNING: Can't verify CSRF token authenticity
message. - Backbone.js gets authorized session back if the credentials are correct.
下面是可以做些什么来得到它的工作:
Here is what can be done to get it working:
-
Rails的后端应该从前端的请求作出正确的反应。这意味着它应该:
Rails backend should respond correctly to requests from front-end. Which means it should:
- 响应
选项
请求(preflight请求) - 发送正确的CORS头文件
- 能够与前端通信CSRF令牌
- Respond to
OPTIONS
requests (preflight requests) - Send correct CORS headers
- Able to communicate CSRF token with the front-end
前端应该:
- 能与凭据发送请求
- 获取并使用正确的CSRF令牌
教你的Rails后端对CORS请求做出响应的最简单的方法是使用
机架CORS 宝石。这也将提供正确的CORS头。
The simplest way to teach your Rails back-end to respond to CORS requests is to use rack-cors gem. This will also provide correct CORS headers.
config.middleware.insert_before Warden::Manager, Rack::Cors do
allow do
origins '*' # it's highly recommended to specify the correct origin
resource '*',
:headers => :any,
:methods => [:get, :post, :options], # 'options' is really important
# for preflight requests
:expose => ['X-CSRF-Token'] #allows usage of token on the front-end
end
end
在后端侧最后一件事是提供CSRF令牌。自定义设计的控制器应完全处理该任务。
Last thing on a backend side is to provide CSRF token. Custom Devise controller should handle this task perfectly.
class SessionsController < Devise::SessionsController
after_action :set_csrf_header, only: [:new, :create, :destroy]
#...
protected
def set_csrf_header
response.headers['X-CSRF-Token'] = form_authenticity_token
end
end
请注意,你需要CSRF令牌当你第一次送 GET
请求(新
),当您通过递交国书 POST
请求(创建
),当您通过发送登出您的应用程序的删除
请求(摧毁
)。如果你不令牌发送CSRF上登出,您将无法登录,而无需重新加载页面。
Note that you need CSRF token when you send first GET
request (new
), when you submit credentials through POST
request (create
) and when you sign out of your application by sending DELETE
request (destroy
). If you don't send CSRF token on sign out you won't be able to sign in without reloading the page.
而在配置的某个地方/ routes.rb中不要忘记指定您正在使用自定义控制器:
And somewhere in config/routes.rb don't forget to specify that you are now using custom controller:
/config/routes.rb
devise_for :users, :controllers => {:sessions => "sessions"}
现在,到前端。请看看<一个href=\"https://github.com/$c$cbrew/backbone-rails/blob/master/vendor/assets/javascripts/backbone_rails_sync.js\">this重写标准 Backbone.sync
并处理与Rails的服务器通信脚本。
这几乎是与好几个需要更正:
Now, to the front-end. Please, have a look at this script that overrides standard Backbone.sync
and handles communication with Rails server.
It is almost good with couple of corrections needed:
beforeSend: function( xhr ) {
if (!options.noCSRF) {
// we dont have csrf-token in the document anymore
//var token = $('meta[name="csrf-token"]').attr('content');
// New Line #1
// we will get CSRF token from your application.
// See below for how it gets there.
var token = YourAppName.csrfToken;
if (token) xhr.setRequestHeader('X-CSRF-Token', token);
// New Line #2
// this will include session information in the requests
xhr.withCredentials = true;
}
//..some code omitted
//................
// Trigger the sync end event
var complete = options.complete;
params.complete = function(jqXHR, textStatus) {
// New Lines #3,4
// If response includes CSRF token we need to remember it
var token = jqXHR.getResponseHeader('X-CSRF-Token')
if (token) YourAppName.csrfToken = token;
model.trigger('sync:end');
if (complete) complete(jqXHR, textStatus);
};
}
我不知道这有资格作为一个完整的回答你的问题,但至少它是值得的开始。它可能不是最好的方式,但它是这样的。让我知道如果您有任何疑问。
I'm not sure this qualifies as a complete answer to your question, but at least it is something to start from. It might not be the best way, but it is the way. Let me know if you have any questions.
这篇关于什么是用户身份验证的最佳方法与设计3和骨干?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!