search

hotwired / stimulus

A modest JavaScript framework for the HTML you already have
https://stimulus.hotwired.dev/
MIT License
12.53k stars 419 forks source link

Best practice for integrating with Rails and Authentication #87

Closed pelted closed 6 years ago

pelted commented 6 years ago

Decided to take a look at Stimulus for loading a few ui pieces after initial page rendering in one of our older Rails apps. Newer apps we've gone with more of the single page app backed with Rails API, but this seems like a great way of using it to load smaller elements and it works well so far.

What approach do you take to deal with the authentication issue. For example, our Devise login screen shows up in the fetched HTML since we are calling :authenticate_user! in the ApplicationController. I don't want to ignore auth on the new routes for these partials as they may contain sensitive data, but it seems like implementing a complete JWT mechanism is overkill since it wouldn't be needed everywhere.

dhh commented 6 years ago

Any fetch you invoke from a Stimulus controller will send the cookies along that the session already has. So whatever authentication you need, you can just piggyback off that already. Don't need to do anything special. Then you can either error out with a Unauthenticated reply from the server or return error-specific HTML to inject from the fetch.

On Wed, Jan 31, 2018 at 5:04 PM, Chris Born notifications@github.com wrote:

Decided to take a look at Stimulus for loading a few ui pieces after initial page rendering in one of our older Rails apps. Newer apps we've gone with more of the single page app backed with Rails API, but this seems like a great way of using it to load smaller elements and it works well so far.

What approach do you take to deal with the authentication issue. For example, our Devise login screen shows up in the fetched HTML since we are calling :authenticate_user! in the ApplicationController. I don't want to ignore auth on the new routes for these partials as they may contain sensitive data, but it seems like implementing a complete JWT mechanism is overkill since it wouldn't be needed everywhere.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/stimulusjs/stimulus/issues/87, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAKtWRI2Z46nP2TEQm3B0XK5qZDp9a_ks5tQQ22gaJpZM4R05fO .

basicBrogrammer commented 6 years ago

I was just looking for the answer to this... I'm using devise but when it gets back to the controller current_user is nil 🤔

javan commented 6 years ago

If you're making fetch requests, add { credentials: 'same-origin' } to the options: https://github.com/github/fetch#sending-cookies

basicBrogrammer commented 6 years ago

Sweet that worked like a charm 👍 Is there a slack room or forum to discuss stimulus other than issues 😁

sstephenson commented 6 years ago

Closing this for now, but feel free to continue the conversation over on the new Stimulus Discourse.