-
-
Save gonzalo-bulnes/9001010 to your computer and use it in GitHub Desktop.
# app/controllers/sessions_controller.rb | |
class SessionsController < Devise::SessionsController | |
# This controller provides a JSON version of the Devise::SessionsController and | |
# is compatible with the use of SimpleTokenAuthentication. | |
# See https://github.com/gonzalo-bulnes/simple_token_authentication/issues/27 | |
def create | |
# Fetch params | |
email = params[:session][:email] if params[:session] | |
password = params[:session][:password] if params[:session] | |
id = User.find_by(email: email).try(:id) if email.presence | |
# Validations | |
if request.format != :json | |
render status: 406, json: { message: 'The request must be JSON.' } | |
return | |
end | |
if email.nil? or password.nil? | |
render status: 400, json: { message: 'The request MUST contain the user email and password.' } | |
return | |
end | |
# Authentication | |
user = User.find_by(email: email) | |
if user | |
if user.valid_password? password | |
user.reset_authentication_token! | |
# Note that the data which should be returned depends heavily of the API client needs. | |
render status: 200, json: { email: user.email, authentication_token: user.authentication_token, id: id } | |
else | |
render status: 401, json: { message: 'Invalid email or password.' } | |
end | |
else | |
render status: 401, json: { message: 'Invalid email or password.' } | |
end | |
end | |
def destroy | |
# Fetch params | |
user = User.find_by(authentication_token: params[:user_token]) | |
if user.nil? | |
render status: 404, json: { message: 'Invalid token.' } | |
else | |
user.authentication_token = nil | |
user.save! | |
render status: 204, json: nil | |
end | |
end | |
end |
Hi again @gonzalo-bulnes.
After looking at this comment of yours a little more carefully, I think I got it. I now have basic custom SessionsController performing login (creation of auth_token) and logout (authenticating the user and destroying the auth_token in case authentatication was successful). Here is the new gist for it.
Would love to hear from you in regards to my previous questions anyway.
Regards!
Hi @dnlserrano, I believe you're right about both of your observations, this sessions controller needs a serious review.
I took a look to your gist; it looks better than mine. I'm aware of the Simple Token Authentication issue you opened (#48) about intenting to destroy the session with wrong credentials; once fixed, I think we could update your SessionsController
and use it as a reference. Sadly I'm a bit short of time these days, but I'll be reading your updates.
Update: @dnlserrano shared his RegistrationsController
and SessionsController
in that gist (original comment).
Hi Gonzalo (@gonzalo-bulnes),
If we are doing all the ground work, there is nothing in Devise SessionController that is required, should this class still extend Devise SessionController.
@gonzalo-bulnes , btw thanks for SimpleToken
why is this code in the gist needed... can't you just check the current_user
PS I tried to check current user but it always return a user (whether i singed in with valid or invalid token) ?
I just write an article about how to add JSON API login based on Devise and simple token authentication. But I don't know how to test sign_out api with python code now. @gonzalo-bulnes
Hi @gonzalo-bulnes
First of all, great work on the gem. Now the questions.
I was wondering how one could design a destroy action keeping the same ideas we are using to authenticate the user in any other action while following the DRY principles. A suggestion is to use the method for authentication in the other actions but this seems to be private to the ActsAsTokenAuthenticationHandlerMethods module.
Btw, my SessionsController is now looking like this.
Thanks in advance,
Daniel