宝石“devise_token_auth”方法:authenticate_user!尽管有效的身份验证参数返回 401

vip*_*169 5 ruby devise ruby-on-rails-4 postman

我正在尝试使用 gem“devise_token_auth”对每个 json api 请求对用户进行身份验证。但是,我也想支持旧设备身份验证"config.enable_standard_devise_support = true"

#app/controllers/api/v1/api_controller.rb
class Api::V1::ApiController < ApplicationController
  respond_to :json
  include DeviseTokenAuth::Concerns::SetUserByToken
  before_filter :authenticate_user_from_token!
  ....
  def authenticate_user_from_token!
    user_email = request.headers["X-User-Email"].presence || request.headers["uid"].presence
    client_id = request.headers["client"].presence
    access_token = request.headers["access-token"].presence
    user = user_email && User.find_by_email(user_email)
    auth_token = request.headers["X-Auth-Token"].presence
    if user && auth_token && Devise.secure_compare(user.authentication_token, auth_token)
      sign_in user, store: false
      authenticate_user!
    elsif access_token && client_id && user && user.valid_token?(access_token, client_id)
      authenticate_user!
    else
      throw(:warden, scope: :user)
    end
  end
  ....
end
Run Code Online (Sandbox Code Playgroud)

以下是对应的rspec

describe "Sign In" do
      it "allows further api requests with valid auth token and denies ones with invalid token" do
        post "/api/v1/sign_in", {"email": @user.email, "password": @user.password}, :format => :json
        expect_status(200)

        auth_header1 = response.header.slice('X-User-Email', 'X-Auth-Token', 'Content-Type')
        auth_header2 = response.header.slice('X-User-Email', 'X-Auth-Token', 'Content-Type')
        auth_header2["X-Auth-Token"] = "WRONGTOKEN"

        # Valid auth token
        get "/api/v1/cycle_days", {}, auth_header1
        expect_status(200)

        # Invalid auth token
        get "/api/v1/cycle_days", {}, auth_header2
        expect_status(401)

        # Cancan failure
        get "/api/v1/user/#{@user.id}", {}, auth_header2
        expect_status(301)
      end
    end
Run Code Online (Sandbox Code Playgroud)

当邮递员中的实际 API 失败时,此 rspec 正在通过,在用户成功登录后,所有 API 都返回 401 {'error' : 'authentication error'}