Allowing users to sign in and identify themselves is called authentication. Typically, we request an email address and a password to authenticate the user, so we can be sure whoever is signing in is the same person who created the account.
http://railsapps.github.io/rails-authorization.html
Railscast #82 HTTP Basic Authentication
Is the api_key" field a string? Charlie McElfresh·Apr-7 5:06 PM @jendiamond yes, it will be a SecureRandom.uuid
http_basic_authenticate_with :name => "user", :password => "password"
http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Basic.html
Build an API in your Rails app now!
Token Based Authentication in Rails
SecureRandom
http://stackoverflow.com/questions/6021372/best-way-to-create-unique-token-in-rails
http://daniel.fone.net.nz/blog/2014/12/07/generating-unique-random-tokens/
Our problem now is knowing if a user is
a) authorized to access certain controller actions in your API and
b) keeping track of authorized users.
three possible solutions are to
-
use sessions Sessions aren’t really RESTful and since you’re dealing with an API you’d be forced to send a cookie to the client which only works if the client is a browser. If you use any kind of sessions you have now just barred any non-browser client from consuming your API.
-
the database You could store all active tokens in your database with an expiration time and a cron job to kill sessions after that time but keeping track of sessions like that is not RESTful and it puts a lot of strain on your database with tons of reads and writes that have to take place upon every request
-
keep everything in memory (Redis)
===
Redis is an in-memory key-value store.
A database is best for data that needs to be persisted for long periods.
Redis is great for when the data can be destroyed with no consequences.
Redis can only hold as much data as you have free memory – that’s the catch.
In this case you’re only storing short strings for active users for a limited period of time.
If you’ve got a server with 1G of RAM then you should be able to handle at least a few thousands active users at the same time. In my case I have Redis backed up by my database so if the server or the app restarts and Redis loses all its data the database is used as a fallback. During normal operation, however, you’d never hit the database at all.
Our tokens in this application are temporary. Each user is given an access token by first submitting their API key. From there the app verifies the identity of the key and returns an access token along with an expiration time.
So, in summary, we’re using Redis to track active API users via their tokens because it’s fast and cheap.
authenticate_or_request_with_http_token
https://www.codeschool.com/blog/2014/02/03/token-based-authentication-rails/
===
An Example for using it.
Call it in a before filter in your Base or Application Controller.
before_filter :authenticate_through_api_client
def authenticate_through_api_client
# this block should return true or false
authenticate_or_request_with_http_token |token,other_options|
Api client.find_by_client_key(token).present?
end
end
Authorization:Token token=“your_token_goes_here”
Authorization is the key and Token token=“” is value
===