5

我在 AngularJS 中有一个前端,在 RoR 中有一个带有 Devise + Doorkeeper + RocketPants 的后端。现在我有正常工作的 CORS,我可以成功地从我的 API 获得 json 响应(如果我关闭门卫保护)。但现在我正在尝试实现用户密码凭证流程:

关于门卫:

  resource_owner_from_credentials do |routes|
    request.params[:user] = {:email => request.params[:username], :password => request.params[:password]}
    request.env["devise.allow_params_authentication"] = true
    request.env["warden"].authenticate!(:scope => :user)
  end

在 angularjs (src: nils-blum ) 上:

var payload = "username="+username+"&password="+password+"&" +
        "client_id="+client_id+"&client_secret="+client_secret+
        "&grant_type=password"

$http({method: 'POST',
    url: scope.booksh_server + '/oauth/token',
    data:   payload,
    headers: {'Content-Type':'application/x-www-form-urlencoded'}
    }
).success(function (data) {
            tokenHandler.set(data.access_token);
            scope.$broadcast('event:authenticated');
});

注意:Nils 的方法使用有效负载作为带有参数的对象,而不是字符串。就我而言,它给了我带有有效负载的 POST,而不是带有 FORM 参数,因此无法正常工作。

当我输入错误的用户/密码时,rails 日志显示:

    Started POST "/oauth/token" for 127.0.0.1 at 2013-11-22 15:21:08 +0400
  Doorkeeper::Application Load (0.5ms)  SELECT "oauth_applications".* FROM "oauth_applications" WHERE "oauth_applications"."uid" = '981d6d654f5e709b2ca3437401c993a6d09cc91cc3fb16b8e2b3191e6421029c' AND "oauth_applications"."secret" = 'f92c4ec969525352bd03ec1eb810a9952cd0814d37ce5b2b02e8a928b2561e10' ORDER BY "oauth_applications"."id" ASC LIMIT 1
  User Load (0.9ms)  SELECT "users".* FROM "users" WHERE "users"."email" = 'undefined' ORDER BY "users"."id" ASC LIMIT 1

Chrome 开发工具将此请求显示为已取消。Firebug 显示 302 Found 状态的空响应。当我从 chrome REST App执行相同的 POST 时,UPD: server 执行相同的操作,我得到 302 Found 然后它被重定向到设计的登录页面。

此外,如果我输入正确的用户/密码,firefox 会显示 200 OK 的空响应,REST 会收到带有访问令牌的正确 json,chrome 会显示取消响应并抛出 CORS 错误:

XMLHttpRequest cannot load http://0.0.0.0:3000/oauth/token. Origin http://0.0.0.0:9000 is not allowed by Access-Control-Allow-Origin.

服务器日志:

Started POST "/oauth/token" for 127.0.0.1 at 2013-11-22 15:33:22 +0400
  Doorkeeper::Application Load (0.5ms)  SELECT "oauth_applications".* FROM "oauth_applications" WHERE "oauth_applications"."uid" = '981d6d654f5e709b2ca3437401c993a6d09cc91cc3fb16b8e2b3191e6421029c' AND "oauth_applications"."secret" = 'f92c4ec969525352bd03ec1eb810a9952cd0814d37ce5b2b02e8a928b2561e10' ORDER BY "oauth_applications"."id" ASC LIMIT 1
  User Load (0.5ms)  SELECT "users".* FROM "users" WHERE "users"."email" = '123@gmail.com' ORDER BY "users"."id" ASC LIMIT 1
   (0.2ms)  BEGIN
  SQL (0.4ms)  UPDATE "users" SET "last_sign_in_at" = $1, "current_sign_in_at" = $2, "sign_in_count" = $3, "remember_token" = $4, "updated_at" = $5 WHERE "users"."id" = 1  [["last_sign_in_at", Fri, 22 Nov 2013 11:32:49 UTC +00:00], ["current_sign_in_at", Fri, 22 Nov 2013 11:33:23 UTC +00:00], ["sign_in_count", 24], ["remember_token", "N5sRI6vE7B6vRNUlih3G2Q"], ["updated_at", Fri, 22 Nov 2013 11:33:23 UTC +00:00]]
   (17.5ms)  COMMIT
   (1.6ms)  BEGIN
  Doorkeeper::AccessToken Exists (0.3ms)  SELECT 1 AS one FROM "oauth_access_tokens" WHERE "oauth_access_tokens"."token" = '72dd81fd85b638fb14f9d081193b1eda0e58f85d6820718ab635fe195c36a689' LIMIT 1
  SQL (0.3ms)  INSERT INTO "oauth_access_tokens" ("application_id", "created_at", "expires_in", "resource_owner_id", "scopes", "token") VALUES ($1, $2, $3, $4, $5, $6) RETURNING "id"  [["application_id", 1], ["created_at", Fri, 22 Nov 2013 11:33:23 UTC +00:00], ["expires_in", 7200], ["resource_owner_id", 1], ["scopes", ""], ["token", "72dd81fd85b638fb14f9d081193b1eda0e58f85d6820718ab635fe195c36a689"]]
   (28.1ms)  COMMIT

我怎样才能使这项工作?如果电子邮件/密码正确,我需要 POST /oauth/token 来处理身份验证并使用 access_token 进行响应。任何帮助表示赞赏,我厌倦了被困在这个问题上)

4

1 回答 1

8

耶!最后我让它工作了。仍然不知道为什么在整个网络上的教程中它更容易。

所以,问题出在哪里:在我的ApplicationController(根目录,而不是处理 API 的那个)中,我对 CORS 有以下关注:

  before_filter :set_headers

  def set_headers
    headers['Access-Control-Allow-Origin'] = 'http://0.0.0.0:9000'
    headers['Access-Control-Allow-Methods'] = 'GET, POST, PATCH, PUT, DELETE, OPTIONS, HEAD'
    headers['Access-Control-Allow-Headers'] = '*,X-Requested-With,Content-Type,If-Modified-Since,If-None-Match'
    headers['Access-Control-Max-Age'] = '86400'
  end

深入研究这个问题,我发现当我调用 /oauth/token 时不会调用这个函数,但是当我去处理 API 之外的任何其他路由时会调用这个函数ApplicationController

Doorkeeper 有自己的控制器,独立于您的应用程序控制器。文档很好地描述了他们行为的改变(链接),所以这对我有帮助:

路线.rb:

use_doorkeeper do
    controllers tokens: 'custom_tokens'
end

custom_tokens_controller.rb:

class CustomTokensController < Doorkeeper::TokensController

  include AbstractController::Callbacks
  before_filter :set_headers

  def set_headers
    puts 'headers set'
    headers['Access-Control-Allow-Origin'] = 'http://0.0.0.0:9000'
    headers['Access-Control-Allow-Methods'] = 'GET, POST, PATCH, PUT, DELETE, OPTIONS, HEAD'
    headers['Access-Control-Allow-Headers'] = '*,X-Requested-With,Content-Type,If-Modified-Since,If-None-Match'
    headers['Access-Control-Max-Age'] = '86400'
  end
end

重要的是包含Callbacks到控制器中,因为 Doorkeeper 控制器是从 继承的Metal,所以没有包含 rails 就找不到before_filter

现在看起来不错:它验证了我的用户/密码对,并返回 access_token (我希望它可以工作:D)。如果出现问题,现在应该重定向。这是我知道解决方案(自定义看守失败)的问题,所以现在一切正常。哼!很长...如果有人知道为什么基于互联网的食谱没有帮助,请发表您的想法=)

于 2013-11-22T23:29:54.093 回答