Rails API:使用用户名/密码或facebook令牌从本机移动应用程序验证用户 [英] Rails API: Authenticate users from native mobile apps using username/password or facebook token
问题描述
所以我已经把头发拉了几天,试图找出如何在我的rails mobile API中添加用户名/密码身份验证。
这是我当前身份验证流程的简要概述:
-
用户在移动客户端上选择使用Facebook登录,客户端
重定向到Facebook应用程序并请求access_token -
成功时,Facebook使用访问令牌进行响应,客户端
重定向回我的应用程序。 -
客户端将访问令牌发送到我的API
-
我的API使用来验证用户访问令牌。这是通过将以下before_filter应用于所有控制器来完成的。
before_filter:current_user
和我的application_helper.rb
def current_user
@current_user || = User.authenticate_user_from_facebook(params [:access_token])
end
每次用户向我的API发出请求时,koala gem用于检查令牌是否有效,然后处理请求。
我是什么尝试添加现在只有用户名和密码的身份验证。
我调查过的事情
我一直在提及Railscast 235 ,209,250,82和阅读OAuth2。我对身份验证的工作方式有基本的了解,但我无法将其应用到我当前的身份验证流程。
设计令牌身份验证
参考Railscast 235,209和这篇博文:
http:/ /matteomelani.wordpress.com/2011/10/17/authentication-for-mobile-devices/
我可以理解如何登录和验证用户谁用用户名和密码登录。但是我对如何与我的Facebook登录流程进行筛选感到困惑。我不明白如何为已经拥有Facebook生成的访问令牌的用户创建具有设计的会话。
OAuth2
使我的API成为OAuth2提供商似乎是一个很好的方法,但重定向到浏览器似乎有点愚蠢,我不知道是否可以从浏览器重定向到我的应用程序。 / p>
从头开始验证
这是我想要的选项,但我会重新发明轮子。
感谢您阅读这篇长篇文章!任何建议表示赞赏!
解决方案您可能需要查看守望者。无论您使用令牌,密码还是Facebook,Warden都可以轻松设置和使用不同的身份验证策略。它是基于Rack的,所以它也可以在Rails之外工作,如果你想在API上使用像Grape这样的东西,这很好。
这是 RailsCast on Warden 。 (需要专业订阅)
So I have been pulling my hair out for a few days now trying to figure out how to add username/password authentication to my rails mobile API.
Here is a brief overview of my current authentication flow:
User selects "login with Facebook" on the mobile client, client redirects to Facebook app and requests access_token
On success, Facebook responds with the access token and the client redirects back to my app.
The client sends the access token to my API
My API uses the koala gem to check if the access token is valid.
If the token is valid, Facebook sends the users data to the API where a new user is created. If the user already exists, my API sends down the users data.
My API handles the access token in step 4 as shown below:
def self.authenticate_user_from_facebook(fb_access_token) user = User.new graph = Koala::Facebook::API.new(fb_access_token) profile = graph.get_object('me') #user['fb_id'] = profile['id'] #user['fb_token'] = fb_access_token # Generate user hash uhash = Hash.new uhash['provider'] = 'facebook' uhash['uid'] = profile['id'] uhash['info'] = Hash.new uhash['info']['nickname'] = profile['username'] uhash['info']['name'] = profile['name'] uhash['info']['email'] = profile['email'] uhash['info']['first_name'] = profile['first_name'] uhash['info']['last_name'] = profile['last_name'] uhash['info']['verified'] = profile['verified'] uhash['info']['urls'] = Hash.new uhash['info']['urls']['Facebook'] = profile['link'] uhash['credentials'] = Hash.new uhash['credentials']['token'] = fb_access_token uhash['extra'] = Hash.new uhash['extra']['raw_info'] = Hash.new #Save the new data user = User.apply_auth(uhash) return user end def self.apply_auth(uhash) User.where(:uid => uhash['uid'], :provider => uhash['provider']).first_or_create do |user| user.provider = uhash['provider'] user.uid = uhash['uid'] user.nickname = uhash['info']['nickname'] user.email = uhash['info']['email'] user.name = uhash['info']['name'] user.first_name = uhash['info']['first_name'] user.last_name = uhash['info']['last_name'] end end
Once the user is created, they can make requests to my API using their access token as shown below:
In step 2 the API is using koala to verify the users access token. This is done by applying the following before_filter to all controllers.
before_filter :current_user
and in my application_helper.rb
def current_user @current_user ||= User.authenticate_user_from_facebook(params[:access_token]) end
Every time a user makes a request to my API the koala gem is used to check if the token is valid, then the request is processed.
What I am trying to add now is authentication with only username and password.
Things I have looked into
I have been constantly referring to Railscast 235, 209, 250, 82 and reading up on OAuth2. I have a basic understanding of how authentication works but Im having trouble applying it to my current authentication flow.
Devise Token Authentication Referring to Railscast 235, 209, and this blog post: http://matteomelani.wordpress.com/2011/10/17/authentication-for-mobile-devices/
I can understand how to login and validate a user who logs in with a username and password. However I am confused as to how that will mesh with my Facebook login flow. I do not understand how to create a session with devise for a user who already has an access token generated by Facebook.
OAuth2 Making my API an OAuth2 provider seems like it would be a good way to go, but it seems kind of silly to redirect to a browser, and I don't know if its possible to redirect back from the browser to my app.
Authentication From Scratch This is the option I am thinking of going with but I would be reinventing the wheel.
Thanks for reading this long post! Any advice is appreciated!
解决方案You may want to look into Warden. Warden makes it easy to setup and use different auth strategies whether you use tokens, password or Facebook. It is Rack-based so it also works outside of Rails which is nice if you ever want to use something like Grape for the API.
Here is the RailsCast on Warden. (Pro subscription required)
这篇关于Rails API:使用用户名/密码或facebook令牌从本机移动应用程序验证用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!