1

I have a rails application that contains all front-end part , administrative and register/login/logout (Devise).

I also have a part with more dynamic maps that is written in javascript React. It runs on a controller / view separately in the same application.

I created an api using Grape to expose the data to React.

My question is how to know that the user is logged in without the use of tokens.

Which way ? I can use cookies and session stored in the browser? How would?

I can get the user id by:

user_id = env['rack.session']['warden.user.user.key'].first.first

That would be fine?

User.find(user_id)

It's safe?

Ricardo
  • 159
  • 1
  • 2
  • 9

1 Answers1

2

One of my application I have use devise authentication like below:

api.rb

#require 'grape'
module Base
  class API < Grape::API
    prefix 'api'
    version 'v1', :using => :header, :vendor => 'vendor'
    format :json

    helpers do
      def current_user
        user = User.where(authentication_token: params[:auth_token], is_approved: true).first
        if user
          @current_user = user
        else
          false
        end
      end

      def authenticate!
        error!('401 Unauthorized', 401) unless current_user
      end

    end


    # load the rest of the API
    mount V1::Registration
    mount V1::Sessions

  end
end

sessions.rb

module V1
  class Sessions < Grape::API
    version 'v1', using: :path
    format :json
    prefix :api

    resource :sessions do

      ##<$ User Sign In API $>##
      desc 'Authenticate user and return user object / access token'

      params do
        requires :email, type: String, desc: 'User email'
        requires :password, type: String, desc: 'User Password'
      end

      post do
        email = params[:email]
        password = params[:password]

        if email.nil? or password.nil?
          error!({error_code: 404, error_message: 'Invalid Email or Password.'}, 401)
          return
        end

        user = User.where(email: email.downcase).first
        if user.nil?
          error!({error_code: 404, error_message: 'Invalid Email or Password.'}, 401)
          return
        end

        if !user.valid_password?(password)
          error!({error_code: 404, error_message: 'Invalid Email or Password.'}, 401)
          return
        else
          user.ensure_authentication_token
          user.save
          {status: 'ok', auth_token: user.authentication_token}
        end
      end

      desc 'Destroy the access token'
      params do
        requires :auth_token, type: String, desc: 'User Access Token'
      end
      delete ':auth_token' do
        auth_token = params[:auth_token]
        user = User.where(authentication_token: auth_token).first
        if user.nil?
          error!({error_code: 404, error_message: 'Invalid access token.'}, 401)
          return
        else
          user.reset_authentication_token
          {status: 'ok'}
        end
      end

    end
  end
end
Md Sirajus Salayhin
  • 4,974
  • 5
  • 37
  • 46
  • "My question is how to know that the user is logged in without the use of tokens." thx. – Ricardo Aug 28 '15 at 20:55
  • First of all when you using REST, you cannot use session. Because it is stateless. To check user logged in you need to pass auth_token with every request. And from API side you need to check that auth_token exist or not. – Md Sirajus Salayhin Aug 29 '15 at 04:03