vip*_*169 5 ruby devise ruby-on-rails-4 postman
我正在尝试使用 gem“devise_token_auth”对每个 json api 请求对用户进行身份验证。但是,我也想支持旧设备身份验证"config.enable_standard_devise_support = true"
#app/controllers/api/v1/api_controller.rb
class Api::V1::ApiController < ApplicationController
respond_to :json
include DeviseTokenAuth::Concerns::SetUserByToken
before_filter :authenticate_user_from_token!
....
def authenticate_user_from_token!
user_email = request.headers["X-User-Email"].presence || request.headers["uid"].presence
client_id = request.headers["client"].presence
access_token = request.headers["access-token"].presence
user = user_email && User.find_by_email(user_email)
auth_token = request.headers["X-Auth-Token"].presence
if user && auth_token && Devise.secure_compare(user.authentication_token, auth_token)
sign_in user, store: false
authenticate_user!
elsif access_token && client_id && user && user.valid_token?(access_token, client_id)
authenticate_user!
else
throw(:warden, scope: :user)
end
end
....
end
Run Code Online (Sandbox Code Playgroud)
以下是对应的rspec
describe "Sign In" do
it "allows further api requests with valid auth token and denies ones with invalid token" do
post "/api/v1/sign_in", {"email": @user.email, "password": @user.password}, :format => :json
expect_status(200)
auth_header1 = response.header.slice('X-User-Email', 'X-Auth-Token', 'Content-Type')
auth_header2 = response.header.slice('X-User-Email', 'X-Auth-Token', 'Content-Type')
auth_header2["X-Auth-Token"] = "WRONGTOKEN"
# Valid auth token
get "/api/v1/cycle_days", {}, auth_header1
expect_status(200)
# Invalid auth token
get "/api/v1/cycle_days", {}, auth_header2
expect_status(401)
# Cancan failure
get "/api/v1/user/#{@user.id}", {}, auth_header2
expect_status(301)
end
end
Run Code Online (Sandbox Code Playgroud)
当邮递员中的实际 API 失败时,此 rspec 正在通过,在用户成功登录后,所有 API 都返回 401 {'error' : 'authentication error'}