Comments on: Easy Rails API Authentication Using restful-authentication

By: Concepcion Stockbridge

Concepcion Stockbridge — Wed, 31 Aug 2011 05:11:16 +0000

@Offmid123 truly exactly where?

By: Richard Szopa

Richard Szopa — Mon, 15 Aug 2011 21:17:14 +0000

Unless you are using HTTPS, this recipe is *very* insecure. Anybody who has na ability to sniff out what are the HTTP requests done by your user will be able to see the API key and make requests on behalf of your user.

By: Jeff Savin

Jeff Savin — Wed, 18 May 2011 17:48:42 +0000

I rarely post a message stating how helpful snippets of code have been to my learning and/or use in development projects. Your post, I couldn’t bypass, however. A great help!!!! Thanks for taking the time to show this so succinctly.

By: PEPE

PEPE — Thu, 28 Apr 2011 03:06:35 +0000

Great post!!!

How could I do to send thata api_key on the header?

I dont want sent that token by param I would like to do something like

curl http://localhost:3000/users -H “api_key:my_appi_key”

By: d@Ve

d@Ve — Thu, 21 Apr 2011 14:32:46 +0000

alican, did you ever resolve this issue? if not, anyone have further insight to plug this and christoph’s security concerns? looking to implement this solution in the very near short-term.

By: Rohan Dey

Rohan Dey — Sat, 05 Feb 2011 08:18:28 +0000

You just made my day simpler. Thanks for sharing.

By: Sean

Sean — Tue, 31 Aug 2010 21:37:29 +0000

Really helpful, thanks!

By: Alican

Alican — Wed, 21 Oct 2009 09:50:20 +0000

Thanks for tutorial, I implemented correctly and working so far but
I can access xmls without api key parameter passed.

I.e
/tasks.xml returning all tasks by XML format (need to asks for api key?)
/tasks.xml?api_key=randomkeyhere returning tasks by XML format normally

How can i restrict respond to xml blocks with only API key.
Regards.

By: Christoph Bünte

Christoph Bünte — Mon, 24 Aug 2009 09:28:12 +0000

Thanx for sharing the code, it was pretty useful. But there is a security issue with the login_from_api_key method. The following finder finds a user, but it’s supposed to find none: User.find_by_api_key(”)

So any user can authenticate itself by leaving the api_key parameter value blank. This is how i do it:

def login_from_api_key
self.current_user = User.valid.find_by_api_key(params[:api_key]) unless params[:api_key].blank?
end

By: Alexandre Carvalho

Alexandre Carvalho — Mon, 10 Aug 2009 23:33:57 +0000

Using:

./script/generate controller APIKeys

will give you some trouble because of the rails namings conventions

Use:

./script/generate controller ApiKeys

and you won’t have any problem like the one with the helper.