Comments on: Easy Rails API Authentication Using restful-authentication http://www.justinbritten.com/work/2009/05/rails-api-authentication-using-restful-authentication/ Ruby on Rails web application design, development and consulting Tue, 31 Aug 2010 21:37:29 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Sean http://www.justinbritten.com/work/2009/05/rails-api-authentication-using-restful-authentication/#comment-1084 Sean Tue, 31 Aug 2010 21:37:29 +0000 http://www.justinbritten.com/work/?p=224#comment-1084 Really helpful, thanks! Really helpful, thanks!

]]> By: Alican http://www.justinbritten.com/work/2009/05/rails-api-authentication-using-restful-authentication/#comment-170 Alican Wed, 21 Oct 2009 09:50:20 +0000 http://www.justinbritten.com/work/?p=224#comment-170 Thanks for tutorial, I implemented correctly and working so far but I can access xmls without api key parameter passed. I.e /tasks.xml returning all tasks by XML format (need to asks for api key?) /tasks.xml?api_key=randomkeyhere returning tasks by XML format normally How can i restrict respond to xml blocks with only API key. Regards. Thanks for tutorial, I implemented correctly and working so far but
I can access xmls without api key parameter passed.

I.e
/tasks.xml returning all tasks by XML format (need to asks for api key?)
/tasks.xml?api_key=randomkeyhere returning tasks by XML format normally

How can i restrict respond to xml blocks with only API key.
Regards.

]]> By: Christoph Bünte http://www.justinbritten.com/work/2009/05/rails-api-authentication-using-restful-authentication/#comment-169 Christoph Bünte Mon, 24 Aug 2009 09:28:12 +0000 http://www.justinbritten.com/work/?p=224#comment-169 Thanx for sharing the code, it was pretty useful. But there is a security issue with the login_from_api_key method. The following finder finds a user, but it's supposed to find none: User.find_by_api_key('') So any user can authenticate itself by leaving the api_key parameter value blank. This is how i do it: def login_from_api_key self.current_user = User.valid.find_by_api_key(params[:api_key]) unless params[:api_key].blank? end Thanx for sharing the code, it was pretty useful. But there is a security issue with the login_from_api_key method. The following finder finds a user, but it’s supposed to find none: User.find_by_api_key(”)

So any user can authenticate itself by leaving the api_key parameter value blank. This is how i do it:

def login_from_api_key
self.current_user = User.valid.find_by_api_key(params[:api_key]) unless params[:api_key].blank?
end

]]> By: Alexandre Carvalho http://www.justinbritten.com/work/2009/05/rails-api-authentication-using-restful-authentication/#comment-168 Alexandre Carvalho Mon, 10 Aug 2009 23:33:57 +0000 http://www.justinbritten.com/work/?p=224#comment-168 Using: ./script/generate controller APIKeys will give you some trouble because of the rails namings conventions Use: ./script/generate controller ApiKeys and you won't have any problem like the one with the helper. Using:

./script/generate controller APIKeys

will give you some trouble because of the rails namings conventions

Use:

./script/generate controller ApiKeys

and you won’t have any problem like the one with the helper.

]]> By: Tony Stubblebine http://www.justinbritten.com/work/2009/05/rails-api-authentication-using-restful-authentication/#comment-167 Tony Stubblebine Fri, 07 Aug 2009 02:24:24 +0000 http://www.justinbritten.com/work/?p=224#comment-167 Awesome post. Very helpful. We're rolling out some code at CrowdVine with this. Having it laid out meant it was easy to squeeze this feature in between other work. Thank you! Awesome post. Very helpful. We’re rolling out some code at CrowdVine with this. Having it laid out meant it was easy to squeeze this feature in between other work. Thank you!

]]> By: maheshbalaji http://www.justinbritten.com/work/2009/05/rails-api-authentication-using-restful-authentication/#comment-166 maheshbalaji Fri, 17 Jul 2009 04:26:24 +0000 http://www.justinbritten.com/work/?p=224#comment-166 use the above code ( API Authentication Using restful-authentication) but i am facing an 500 error and i have checked my development log it shows the errors like /simpletwitterapp/app/helpers/api_keys_helper.rb to define ApiKeysHelper is there any thing has to define in it use the above code ( API Authentication Using restful-authentication) but i am facing an 500 error and i have checked my development log it shows the errors like /simpletwitterapp/app/helpers/api_keys_helper.rb to define ApiKeysHelper is there any thing has to define in it

]]> By: Avishai http://www.justinbritten.com/work/2009/05/rails-api-authentication-using-restful-authentication/#comment-165 Avishai Fri, 05 Jun 2009 16:17:11 +0000 http://www.justinbritten.com/work/?p=224#comment-165 Very cool. I've been working on a similar way to authenticate users to edit stuff they've posted to my app, without having to create an account. Turns out you can override the default REST routes to require some kind of token or key to authorize the action: map.resources :things do |thing| map.edit '/things/:id/edit/:verification_code', :controller => "posts", :action => "edit" map.confirm '/things/:id/confirm/:verification_code', :controller => "things", :action => "confirm" end Works fine in dev, but haven't really tested it yet. Very cool. I’ve been working on a similar way to authenticate users to edit stuff they’ve posted to my app, without having to create an account. Turns out you can override the default REST routes to require some kind of token or key to authorize the action:

map.resources :things do |thing|
map.edit ‘/things/:id/edit/:verification_code’, :controller => “posts”, :action => “edit”
map.confirm ‘/things/:id/confirm/:verification_code’, :controller => “things”, :action => “confirm”
end

Works fine in dev, but haven’t really tested it yet.

]]>