Rails的API和原生移动应用程序认证 [英] Rails api and native mobile app authentication

问题描述

我知道有很多关于这个主题的信息，但我无法找到任何这是最新的。 我看到这样的这其中涉及轨道和Android认证，但我看到的 TokenAuthenticatable 现在从色器件。

I know there is a lot of information about this topic, but I can't find any that is up to date. I see topics like this one relating to rails and android authentication but I see that TokenAuthenticatable is now removed from devise.

我的问题很简单：有什么好办法来验证，从原生的Andr​​oid和iPhone用户的应用程序使用Rails 4？有谁知道好的教程或文章，提供了一个解决方案吗？

My question is simple: is there a good way to authenticate users from native Android and iPhone apps using Rails 4? Does anyone know of good tutorials or articles that provide a solution ?

亚当·韦特添加赏金：

我刚刚开了这个问题，500赏金，因为我无法找到正确的做法从iOS应用程序用户随时随地验证到Rails的API。这是我正在考虑做什么，但不知道，如果它的安全与否？！

I have just opened a 500 bounty on this question because I can't find the correct practice for authenticating a user from an iOS app to a Rails API anywhere. This is what I was considering doing but have no idea if it's secure or not?!:

让我们假设有一个用户记录。用户已注册了这创造了一个用户记录与电子邮件列和数据库的帐户 password_digest 列。

Let's assume we have a User record. A user has signed up for an account which has created a User record in the database with an email column and a password_digest column.

在用户登录，在我想该用户在移​​动应​​用程序，以保持验证，直到明确签订淘汰。

When the user signs-in I would like that user to remain authenticated on the mobile app until explicitly signing-out.

我想我们将需要一个基于令牌的认证。我或许会创建用户创建并有保存在用户记录关联时的ApiKey记录。

I imagine we're going to need a token based authentication. I would perhaps create an ApiKey record when the User is created and have that saved as an association on the User record.

当用户迹象/时，响应将包含一个API令牌（类似于 SecureRandom.hex ）将被保存在iOS的钥匙串，并与所有使用后续请求通过将其在报头和使用类似验证它来验证用户：

When the user signs in/up, the response will contain an API token (something like SecureRandom.hex) which will be saved in the iOS Keychain and used with all subsequent requests to verify the user by passing it in a header and verifying it using something like:

before_filter :restrict_access

private

def restrict_access
authenticate_or_request_with_http_token do |token, options|
  ApiKey.exists?(access_token: token)
end

这是安全的？我应该用清爽每个请求的令牌，包括它的反应如何？

Is this secure? Should I be refreshing the token with every request and including it in the response?

我有什么其他选择？什么是对Facebook，Twitter和Pinterest的喜欢吗？

What other options do I have? What do the likes of Facebook, Twitter and Pinterest do?

我知道OAuth2.0的，但就是不给予外部应用程序？

I am aware of OAuth2.0, but is that not for granting external applications?

有一个宝石，管理任何这？

Is there a gem that manages any of this?

对不起，完全不能确定在这里。

Sorry, completely unsure here.

500的最佳答案。

推荐答案

从我的研究解决方案的要点。随意编辑，正确的，无效等。

Gist of a solution from my research. Feel free to edit, correct, invalidate, etc.

SessionsController < ApplicationController
  skip_before_filter :authenticate_user, :only => [:create]
  def create
    user = User.where("username = ? OR email = ?", params[:username_or_email], params[:username_or_email]).first
    if user && user.authenticate(params[:password])
      api_key = user.find_api_key
      if !api_key.secret_key || api_key.is_expired?
        api_key.set_expiry_date
        api_key.generate_secret_key
      end
      api_key.save
      render json: api_key, status: 201     
    else
      status: 401
    end
  end

请注意的ApiAuth.authentic？方法和请求对象。申请必须与客户端上的HMAC算法进行签名。

Note the ApiAuth.authentic? method and the request object. The request must be signed with an HMAC algorithm on the client.

ApplicationController < ActionController::Base
  respond_to :json
  force_ssl
  protect_from_forgery with: :null_session 
  before_filter :authenticate_user
  private
  def authenticate_user
    if authenticate_user_from_secret_key
      return true
    else
      head :unauthorized 
    end
  end
  def authenticate_user_from_secret_key
    userid = ApiAuth.access_id(request)
    currentuser = userid && User.find_by_id(userid)
    if ApiAuth.authentic?(request, currentuser.find_api_key.secret_key)
      return true
    else
      return false
    end
    false
  end

用户创建/登记

User creation/registration

UsersController < ApplicationController
  skip_before_filter :authenticate_user, :only => [:create]
  def create
      user = User.create(user_params)
      if !user.new_record?
        render json: user.find_apit_key, status: 201

      else
       # error
      end
  end

API密钥模式。到API密钥模型＃352 railscast唯一的区别是类似ApiAuth密钥生成。

Api key model. Similar to api key model in #352 railscast only difference is ApiAuth key generation.

class ApiKey < ActiveRecord::Base
  before_create :generate_secret_key, :set_expiry_date
  belongs_to :user   
  def generate_secret_key
    begin
    self.secret_key = ApiAuth.generate_secret_key
    end while self.class.exists?(secret_key: secret_key)
  end

用户模式。

class User < ActiveRecord::Base
  has_secure_password
  before_save :ensure_api_key 
  has_many :api_keys 
  def find_api_key
   self.api_keys.active.ios.first_or_create
  end

在客户端的HMAC算法必须使用签名的请求。

On the client side the HMAC algorithm must be used to sign requests.

在code是： [SHA1 HMAC密钥生成/验证] https://github.com/mgomes/api_auth [控制器和放大器;型号] <一个href="https://github.com/danahartweg/authenticatable_rest_api">https://github.com/danahartweg/authenticatable_rest_api

The code is from: [SHA1 HMAC Key generation/authentication] https://github.com/mgomes/api_auth [Controllers & Models] https://github.com/danahartweg/authenticatable_rest_api

这篇关于Rails的API和原生移动应用程序认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！