I am trying to implement user authentication using Devise for my Rails/iOS app. I am having trouble since I've mostly been a "user" of Devise and was using it for pure web apps so didn't need to bother so much with what goes on behind the scenes. Now that I have to build authentication for an API based app, it's entirely a different world.
我正在为我的Rails/iOS应用程序设计用户身份验证。我遇到了麻烦,因为我大部分时间都是设计的“用户”,我把它用于纯web应用程序,所以不需要为幕后发生的事情操心太多。现在我必须为一个基于API的应用程序构建身份验证,这是一个完全不同的世界。
I've read every single tutorial on the web that deals with this topic (most of them are outdated due to the fact that token_authenticatable has been deprecated) but still having trouble understanding what I need to do.
我已经阅读了web上处理这个主题的每一篇教程(由于token_authenticatable已经被弃用,大多数都已经过时了),但我仍然无法理解我需要做什么。
I also read the original GitHub gist talking about this issue and still don't understand what they are talking about.
我也读了GitHub的原话,谈论这个问题,但仍然不明白他们在说什么。
I'm sure there are people out there just like me who've been just a "user" of Devise so don't really know what goes on behind the scenes.
我敢肯定,有些人就像我一样,一直都是设计的“用户”,所以不知道幕后发生了什么。
Can anyone provide a concise solution to implementing an API based authentication system for a mobile app? I mean it can't be that complex, Devise used to be so awesome since all i needed to do was run rails generate, but this has been nightmare for me.
谁能提供一个简洁的解决方案来实现一个基于API的移动应用的认证系统?我的意思是,它不可能是那么复杂,设计曾经是如此的令人敬畏,因为我所需要做的只是运行rails生成,但这对我来说是一场噩梦。
5 个解决方案
#1
3
I am working on same things as you want,
我在做你想做的事情,
for this you have to use token authentication rather than simple Devise, add following gem in gemfile
为此,您必须使用令牌身份验证而不是简单的设计,在gemfile中添加以下gem
# Use device for authentication
gem 'devise'
gem 'simple_token_authentication'
follow documention simple_token_authentication
遵循documention simple_token_authentication
Use Api like this
curl -v https://example.com/users/sign_in -X POST -H "Accept: application/json" -H "Content-Type: application/json" -d '{"user": {"login": "7838712847" ,"password": "8489", "mobile_type": "ios", "mobile_key": "APA91bG6G4UvjeCWvb8mMAH1ZO3I-8FB3nkRPyCHnwZiXgd16HK18GgoV5n7gjJtZNs038iaFGutzdxnhes3WyaXEX52-xmOyvuEK8S1abBdpuhD9AD5bzLWeu-1Ow_yZRTVg3Nypz1z"}}'
I am using mobile number to login so customize gem according your need
please let me know if it is not working (mail me: er.mukeshsharma.rj21@gmail.com)
请让我知道它是否正常(邮件我:。mukeshsharma.rj21@gmail.com)
#2
1
Recently, we also had to set up token based authentication for our webapp (for API access) - and we also stumbled upon the fact that it has been removed from Devise.
最近,我们还必须为我们的webapp(用于API访问)设置基于令牌的身份验证——我们还偶然发现,它已经从设计中删除了。
We went with Simple Token Authentication which worked just beautifully.
我们使用了简单的令牌身份验证,它工作得非常好。
#3
1
Here is an approach that works excellent for me, when using Devise for authentication in a Rails app. If tests for a token first (you can set the token by any iOS, Android, ... app) and falls back to the default authentication method for your web users.
这是一种对我来说非常有用的方法,当在Rails应用程序中使用设计来进行身份验证时。如果首先测试一个令牌(你可以通过任何iOS、Android、……)然后回到默认的认证方法,为您的web用户。
Rails
Add your own token to the user model, by adding an :api_token string column and fill that with a unique value per user. Using a Digest::SHA1 of some user data (like id + email) is a good starting point, but you can (and should) go as crazy as you like when it comes to generating a unique token.
通过添加一个:api_token字符串列,并为每个用户填充一个惟一的值,向用户模型添加您自己的令牌。使用一个摘要:SHA1的一些用户数据(如id +电子邮件)是一个很好的起点,但是在生成一个唯一的令牌时,您可以(也应该)随心所欲地使用它。
Create a method for authentication over that token. You can add it to your main ApplicationController for easy access (don't forget to put the method in your private section of the controller);
创建一个方法对该令牌进行身份验证。您可以将其添加到主应用程序控制器以方便访问(不要忘记将方法放在控制器的私有部分中);
def authenticate_user_by_token
@api_token = request.headers['HTTP_AUTHORIZATION']
if @api_token.present? && @user = User.find_by_api_token(@api_token)
sign_in @user
return @user
else
return false
end
end
Next create a (private) method and chain this method to the devise before filter method you are using (like :authenticate_user! for example). Put it in the same controller as the method above for easy access;
接下来创建一个(private)方法,并将此方法链接到正在使用的筛选方法之前的设计(比如:authenticate_user!例如)。将其置于与上述方法相同的控制器中,便于访问;
def authenticate_by_token_or_devise!
return authenticate_user! unless authenticate_user_by_token
end
Now Replace your current before_filter call from :authenticate_user! to the newly created one; :authenticate_by_token_or_devise!, like so;
现在,替换当前的before_filter调用:authenticate_user!到新创建的那个;:authenticate_by_token_or_devise !像这样;
before_filter :authenticate_by_token_or_devise!
Or, starting from rails 4 (Rails 4: before_filter vs. before_action), use before_action;
或者,从rails 4开始(rails 4: before_filter和before_action),使用before_action;
before_action :authenticate_by_token_or_devise!
iOS
Now all you have to do is add that token to your iOS app. Depending on the framework that you use in your app, this might be different then the code below.
现在你所要做的就是将这个令牌添加到你的iOS应用程序中。
I use AFNetworking (https://github.com/AFNetworking/AFNetworking) in this example. This is how you set the Authorisation header token in your AFHTTPRequestOperationManager so it gets added to every request you make.
在这个示例中,我使用了AFNetworking (https://github.com/AFNetworking/AFNetworking)。这是如何在AFHTTPRequestOperationManager中设置授权标头令牌,以便将其添加到您发出的每个请求中。
NSString *apiToken = @"your-token-here";
[[_manager requestSerializer] setValue:apiToken forHTTPHeaderField:@"Authorization"];
Optional
Additionally, you can create a before filter method that allows access to token-based authentication only (e.g. if you have a set of /api routes that you only want to be accessed using the token) like this;
此外,您可以创建一个before筛选器方法,该方法只允许访问基于标记的身份验证(例如,如果您有一组/api路由,您只希望使用标记访问它们);
def authenticate_user_by_token!
if !authenticate_user_by_token
render nothing: true, status: :unauthorized and return
end
end
#4
0
When I recently implemented an API, I grudgingly followed a suggestion to use Warden, a rack-based authentication gem. My sense was that an authentication gem that required you to write your own authentication was broken. But this gem provides just the right level of control. My only complaint is that the gem don't handle POST parameters well. I was able to work around it, but that kind of concern should be (IMO) handled by the gem.
当我最近实现一个API时,我不情愿地遵循了一个建议:使用Warden,一个基于rack的认证gem。我的感觉是,需要您编写自己的身份验证的身份验证gem被破坏了。但是这个gem提供了正确的控制级别。我唯一的抱怨是gem不能很好地处理POST参数。我可以在它周围工作,但这种担心应该是由宝石处理的。
Having used it, I highly recommend this gem for any scenario requiring non-generic authentication. Rolling your own authentication strategies is a joy because (a) it's pretty simple and (b) you aren't bound by other devs' assumptions.
在使用了它之后,我强烈推荐这个gem用于任何需要非通用身份验证的场景。使用您自己的身份验证策略是一件乐事,因为(a)它非常简单,(b)您不受其他开发人员假设的约束。
To help you get started, here is my config/initializers/warden.rb file.
为了帮助您入门,这里是我的配置/初始化器/管理员。rb文件。
#5
0
You can use a combination of the devise gem and doorkeeper gem to support web and mobile authentication.
您可以使用设计gem和门卫gem的组合来支持web和移动认证。
For example, I used devise for signing up users and handling forget password and email confirmation flow. For mobile clients, I used the doorkeeper gem as a oauth2 provider to protect my apis. There are many oauth2 grant flows supported by the doorkeeper gem and I suggest you can take a look at those.
例如,我使用设计来注册用户并处理忘记密码和电子邮件确认流。对于移动客户端,我使用门卫gem作为oauth2提供者来保护我的api。有许多oauth2 grant flow由看门人gem支持,我建议你看看这些。
Here's a link! to get started
这里有一个链接!开始
#1
3
I am working on same things as you want,
我在做你想做的事情,
for this you have to use token authentication rather than simple Devise, add following gem in gemfile
为此,您必须使用令牌身份验证而不是简单的设计,在gemfile中添加以下gem
# Use device for authentication
gem 'devise'
gem 'simple_token_authentication'
follow documention simple_token_authentication
遵循documention simple_token_authentication
Use Api like this
curl -v https://example.com/users/sign_in -X POST -H "Accept: application/json" -H "Content-Type: application/json" -d '{"user": {"login": "7838712847" ,"password": "8489", "mobile_type": "ios", "mobile_key": "APA91bG6G4UvjeCWvb8mMAH1ZO3I-8FB3nkRPyCHnwZiXgd16HK18GgoV5n7gjJtZNs038iaFGutzdxnhes3WyaXEX52-xmOyvuEK8S1abBdpuhD9AD5bzLWeu-1Ow_yZRTVg3Nypz1z"}}'
I am using mobile number to login so customize gem according your need
please let me know if it is not working (mail me: er.mukeshsharma.rj21@gmail.com)
请让我知道它是否正常(邮件我:。mukeshsharma.rj21@gmail.com)
#2
1
Recently, we also had to set up token based authentication for our webapp (for API access) - and we also stumbled upon the fact that it has been removed from Devise.
最近,我们还必须为我们的webapp(用于API访问)设置基于令牌的身份验证——我们还偶然发现,它已经从设计中删除了。
We went with Simple Token Authentication which worked just beautifully.
我们使用了简单的令牌身份验证,它工作得非常好。
#3
1
Here is an approach that works excellent for me, when using Devise for authentication in a Rails app. If tests for a token first (you can set the token by any iOS, Android, ... app) and falls back to the default authentication method for your web users.
这是一种对我来说非常有用的方法,当在Rails应用程序中使用设计来进行身份验证时。如果首先测试一个令牌(你可以通过任何iOS、Android、……)然后回到默认的认证方法,为您的web用户。
Rails
Add your own token to the user model, by adding an :api_token string column and fill that with a unique value per user. Using a Digest::SHA1 of some user data (like id + email) is a good starting point, but you can (and should) go as crazy as you like when it comes to generating a unique token.
通过添加一个:api_token字符串列,并为每个用户填充一个惟一的值,向用户模型添加您自己的令牌。使用一个摘要:SHA1的一些用户数据(如id +电子邮件)是一个很好的起点,但是在生成一个唯一的令牌时,您可以(也应该)随心所欲地使用它。
Create a method for authentication over that token. You can add it to your main ApplicationController for easy access (don't forget to put the method in your private section of the controller);
创建一个方法对该令牌进行身份验证。您可以将其添加到主应用程序控制器以方便访问(不要忘记将方法放在控制器的私有部分中);
def authenticate_user_by_token
@api_token = request.headers['HTTP_AUTHORIZATION']
if @api_token.present? && @user = User.find_by_api_token(@api_token)
sign_in @user
return @user
else
return false
end
end
Next create a (private) method and chain this method to the devise before filter method you are using (like :authenticate_user! for example). Put it in the same controller as the method above for easy access;
接下来创建一个(private)方法,并将此方法链接到正在使用的筛选方法之前的设计(比如:authenticate_user!例如)。将其置于与上述方法相同的控制器中,便于访问;
def authenticate_by_token_or_devise!
return authenticate_user! unless authenticate_user_by_token
end
Now Replace your current before_filter call from :authenticate_user! to the newly created one; :authenticate_by_token_or_devise!, like so;
现在,替换当前的before_filter调用:authenticate_user!到新创建的那个;:authenticate_by_token_or_devise !像这样;
before_filter :authenticate_by_token_or_devise!
Or, starting from rails 4 (Rails 4: before_filter vs. before_action), use before_action;
或者,从rails 4开始(rails 4: before_filter和before_action),使用before_action;
before_action :authenticate_by_token_or_devise!
iOS
Now all you have to do is add that token to your iOS app. Depending on the framework that you use in your app, this might be different then the code below.
现在你所要做的就是将这个令牌添加到你的iOS应用程序中。
I use AFNetworking (https://github.com/AFNetworking/AFNetworking) in this example. This is how you set the Authorisation header token in your AFHTTPRequestOperationManager so it gets added to every request you make.
在这个示例中,我使用了AFNetworking (https://github.com/AFNetworking/AFNetworking)。这是如何在AFHTTPRequestOperationManager中设置授权标头令牌,以便将其添加到您发出的每个请求中。
NSString *apiToken = @"your-token-here";
[[_manager requestSerializer] setValue:apiToken forHTTPHeaderField:@"Authorization"];
Optional
Additionally, you can create a before filter method that allows access to token-based authentication only (e.g. if you have a set of /api routes that you only want to be accessed using the token) like this;
此外,您可以创建一个before筛选器方法,该方法只允许访问基于标记的身份验证(例如,如果您有一组/api路由,您只希望使用标记访问它们);
def authenticate_user_by_token!
if !authenticate_user_by_token
render nothing: true, status: :unauthorized and return
end
end
#4
0
When I recently implemented an API, I grudgingly followed a suggestion to use Warden, a rack-based authentication gem. My sense was that an authentication gem that required you to write your own authentication was broken. But this gem provides just the right level of control. My only complaint is that the gem don't handle POST parameters well. I was able to work around it, but that kind of concern should be (IMO) handled by the gem.
当我最近实现一个API时,我不情愿地遵循了一个建议:使用Warden,一个基于rack的认证gem。我的感觉是,需要您编写自己的身份验证的身份验证gem被破坏了。但是这个gem提供了正确的控制级别。我唯一的抱怨是gem不能很好地处理POST参数。我可以在它周围工作,但这种担心应该是由宝石处理的。
Having used it, I highly recommend this gem for any scenario requiring non-generic authentication. Rolling your own authentication strategies is a joy because (a) it's pretty simple and (b) you aren't bound by other devs' assumptions.
在使用了它之后,我强烈推荐这个gem用于任何需要非通用身份验证的场景。使用您自己的身份验证策略是一件乐事,因为(a)它非常简单,(b)您不受其他开发人员假设的约束。
To help you get started, here is my config/initializers/warden.rb file.
为了帮助您入门,这里是我的配置/初始化器/管理员。rb文件。
#5
0
You can use a combination of the devise gem and doorkeeper gem to support web and mobile authentication.
您可以使用设计gem和门卫gem的组合来支持web和移动认证。
For example, I used devise for signing up users and handling forget password and email confirmation flow. For mobile clients, I used the doorkeeper gem as a oauth2 provider to protect my apis. There are many oauth2 grant flows supported by the doorkeeper gem and I suggest you can take a look at those.
例如,我使用设计来注册用户并处理忘记密码和电子邮件确认流。对于移动客户端,我使用门卫gem作为oauth2提供者来保护我的api。有许多oauth2 grant flow由看门人gem支持,我建议你看看这些。
Here's a link! to get started
这里有一个链接!开始