8

I am having a hard time finding a simple tutorial on how to enable single access token authentication using authlogic. There is some documentation but it isn't very helpful.

I added single_access_token to my db, I added this:

  single_access_allowed_request_types :any

to my Session class. but I still don't understand how a user is authenticated using the credentials param that is passed over every call. My require_authentication before filter does a standard check for current_user like this:

 def current_session
    return @current_session if @current_session
    @current_session = Session.find
  end

  def current_user
    @current_user = current_session && current_session.record
  end

But is that enough to work? Does the Session.find method do the magic to log the user is based on my params or do I have to create separate method that actually check if the user_credentials param is there and then find the user based on it and then log that user in. I am confused if I really am "creating" a new session everytime I use a SAT or if I'm just setting current user in a before filter every time an API call is made.

Any help would be amazing! Thanks!

Danny
  • 4,724
  • 6
  • 42
  • 55

3 Answers3

3

I implemented a single_access_token solution with authlogic and what I had to do was add single_access_allowed_request_types :all to the UserSession model.

Then I added the following to the controller where I wanted to allow single_access_token authentication.

  def single_access_allowed?
      ["some_action_1","some_action_2","some_action_3"].include?(action_name)
  end

It looks like you're missing the controller code. So if you had two actions "get_user_info" and "update_user_info" you would add.

  def single_access_allowed?
      ["get_user_info","update_user_info"].include?(action_name)
  end
Timothy Hunkele
  • 877
  • 7
  • 15
  • Daniel, did this work? If not let me know what issues you're experiencing and I'll try to help. Thanks! – Timothy Hunkele Nov 03 '11 at 14:07
  • If you need to just generate the `single_access_token`, for example if you want to set it with `update_column` to avoid any callbacks, you can use `Authlogic::Random.friendly_token`. Be aware that if Authlogic changes this, you'll need to update your code. – Joshua Pinter Oct 29 '19 at 02:15
3

The only thing I had to do make this work was

  • add a field called single_access_token to my users-table
  • add a method called single_access_allowed? to each controller where single access should be allowed.

This method would look like this:

# method for authlogic: defines for which action the single-access-token can be used
def single_access_allowed?
  (action_name == "deliver") || (action_name == "delivery_status")
end

I did not have to add anything in UserSessionsController or the UserSession object. Authlogic handles that for you. With a single-access-token only one request is authenticated, so there is not a persistent session. Each request has to send the single-access-token. Hence the name: a token to get a single access :)

Hope this helps.

nathanvda
  • 49,707
  • 13
  • 117
  • 139
0

The source code of authlogic is the best documentation on the single access token. This is the specific section that discusses it.

You will need to add a private method called single_access_allowed? in the controller where you are trying to let users access. The Single Access Token is passed by default as a URL encoded parameter using the name user_credentials. So to hit your controller without logging in it will be /your_route/?user_credentials=xxxxxx

Naysawn
  • 221
  • 3
  • 4