-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Q: What is the simple_token_authentication configuration for an api? #67
Comments
Hi @Rotimi, The answer is yes to both questions:
|
@Rotimi, IMO the best way of gem usage for api following:
# /app/controller/api/base_controller.rb
class API::BaseController < ActionController::Base
protect_from_forgery with: :null_session # CSRF protection for API
end
# /app/controller/api/v1/post_controller.rb
class API::V1::PostController < API::BaseController
acts_as_token_authentication_handler_for User, only: [:new]
def index
# ... Accessible for unauthenticated users ...
end
def show
# ... Accessible for unauthenticated users ...
end
def new
# ... Only for authenticated users...
# If current_user is missing, devise throw error with status code 401
end
end In this way you have a CSRF protection and devise will handle cases when current_user is missing |
Note @Rotimi: @donbobka is right, |
For reference: #45 |
IMO this documentation(Rails request forgery protection documentation) is obsolete. Because without |
I may be wrong, but I think that's the point. AFAIK the CSRF protection does not make sense for API (I have previously references this post about that), that's why we disable it. |
I made PR to rails(rails/rails#15608) about this obsolete documentation. Let's look what will say rails maintainers. My quote from this PR, why
|
All the ideas being made @gonzalo-bulnes @donbobka are useful but it seems they highly depend on the use case. For a non-browser client it seems disabling csrf is standard but it turns out that it is not advised when a browser is consuming the json api. See: this and this So I believe the options for a client agnostic api are:
I will probably go with option 3 since it preserves the simple_token_authentication and devise gems especially with their community vetting. Thanks for the help and guidance! PS: With this method is there a problem with devise sending session cookies on registration and login or when devise actually comes into play when |
In this way rails works if you use
Due to |
This configuration is correct for for Grape gem? My application run for http and api mode. config/initializers/simple_token_authentication.rb without modification My User model:
and routes.rb
inside app/controllers/api/v1/certificates.rb
if uncomment ...this error show to :( What is wrong?
|
Hello @BSorbus, The Grape support is work in progress (and I need help with it from someone familiar with Grape!) The intent is described in the wiki, progress is coordinated from #138 (there are intructions there to use the experimental code), and the current bottleneck is described in #194. I suggest you start from #194, as it contains links to the most relevant comments in #138. Please let me know in #138 if you experiment difficulties using the experimental branch, and if you are able to suggest how the Simple Token Authentication methods / callbacks should be distributed between |
Thanks for the information. |
The auth_token gets created in the database when we try to create the user, how should we stop this to generate auth_token only at login POST call. |
Hello @ratneshnavlakhe, Can you open a new issue with your question please? Keeping topics separate makes easier for anyone having the same question to find yours. |
When using this gem for a json api exclusively what is the best practice configuration?
How are controllers protected since there is no "authenticate_user" method.
My config is below, please correct me.
for this gem:
config.sign_in_token = false
acts_as_token_authentication_handler_for User, fallback_to_devise: false
In application_controller.rb, I assume this is diabling json csrf protection?
3) protect_from_forgery with: :null_session -> csrf protection
4) skip_before_action :verify_authenticity_token, if: :json_request?
In devise gem configs to disable redirects:
5) config.to_prepare do
DeviseController.respond_to :json
end
6) config.navigational_formats = ['/', :html]
My issues:
With the above configuration in an api should I be disabling csrf and devise fall_back? #49 seems to imply that the devise fallback should be disabled for api is this correct?
Also, since the fallback is disabled will I have to handle cases in which current_user is missing?
The text was updated successfully, but these errors were encountered: