search

jekuno / milia

Easy multi-tenanting for Rails5 (or Rails4) + Devise
MIT License
341 stars 72 forks source link

Api with authentication_token #56

Closed smirninini closed 7 years ago

smirninini commented 9 years ago

My webApp has api functions. get method with authentication_token after sign_in user app redirected to root_path. Is there any way to perform controller action with parameters that I need without redirection?

Started GET "/api/bonus_cards/balance?auth_token=v5E-eYKb27yZCOOOOOJJOOJJ&number=00001" for 127.0.0.1 at 2015-03-30 15:46:59 +0300 Processing by ApiController#balance as HTML Parameters: {"auth_token"=>"v5E-eYKb27yZCOOOOOJJOOJJ", "number"=>"00001"} User Load (4.1ms) SELECT "users".* FROM "users" WHERE (users.tenant_id IS NULL) AND "users"."auth_token" = 'v5E-eYKb27yZCOOOOOJJOOJJ' LIMIT 1 (0.3ms) BEGIN SQL (0.6ms) UPDATE "users" SET "current_sign_in_at" = $1, "last_sign_in_at" = $2, "sign_in_count" = $3, "updated_at" = $4 WHERE "users"."id" = 12 ["current_sign_in_at", "2015-03-30 15:46:59.962394"], ["last_sign_in_at", "2015-03-30 15:46:59.103771"], ["sign_in_count", 49], ["updated_at", "2015-03-30 15:46:59.964500"] COMMIT Tenant Load (15.0ms) SELECT "tenants".* FROM "tenants" INNER JOIN "tenants_users" ON "tenants"."id" = "tenants_users"."tenant_id" WHERE (tenants.tenant_id IS NULL) AND "tenants_users"."user_id" = $1 ORDER BY "tenants"."id" ASC LIMIT 1 [["user_id", 12]] MILIA >>>>> [change tenant] new: 11 old: % Tenant Load (0.4ms) SELECT "tenants".* FROM "tenants" INNER JOIN "tenants_users" ON "tenants"."id" = "tenants_users"."tenant_id" WHERE (tenants.tenant_id IS NULL) AND "tenants_users"."user_id" = $1 [["user_id", 12]] Redirected to Redirected to http://localhost:3000/ Completed 302 Found in 43ms (ActiveRecord: 20.9ms)

Started GET "/" for 127.0.0.1 at 2015-03-30 15:47:00 +0300 Processing by RestaurantsController#index as HTML Completed 401 Unauthorized in 1ms

#application controller
def auth_by_token!
    # special case for designated actions only
  if ( user = User.find_by_auth_token( params[:auth_token] ) )

      # create a special session after authorizing a user
    reset_session
    sign_in(user, store: false)  # devise's way to signin the user
    # now continue with tenant authorization & set up
    true  # ok to continue  processing

  else
    act_path = controller_name.to_s + '/' + action_name.to_s
    logger.info("SECURITY - access denied #{Time.now.to_s(:db)} - auth: #{params[:userfeed] }\tuid:#{(user.nil? ? 'n/f' : user.id.to_s)}\tRequest: " + act_path)
    render( :nothing => true, :status => :forbidden) #  redirect_back   # go back to where you were
    nil   # abort further processing
  end

end

and in ApiController I have

#ApiController
skip_before_action :authenticate_tenant!
prepend_before_action :auth_by_token!, only: [:balance]
protect_from_forgery
jekuno commented 7 years ago

Do you still have any questions regarding this topic? Feel free to share your findings here.

jekuno commented 7 years ago

Closing this for now. If you still have any questions feel free to comment.