通过 http 标头使用令牌的门卫规范
我的目标是在 iOS 和 Rails4 之间创建安全的 API。所以我一直在尝试看门人宝石一段时间。但是我现在正在浪费时间进行测试和配置。详细来说,问题是doorkeeper_for通过 HTTP 标头传输的方法和令牌。如何使用http请求参数成功,但通过参数发送令牌不好。所以我想发送带有 HTTP 标头的令牌,但门卫看不到 where request.header["My_TOKEN_PLACE"]。
环境
现在,我有api_controller.rb, communities_controller.rb, communities_controller_spec.rb, doorkeeper.rb.
api_controller.rb
class ApiController < ApplicationController
before_action :create_token
doorkeeper_for :all, scopes: [:app]
respond_to :json, handler: :jbuilder
private
def error_handle
raise 'Failed.'
end
def create_token
params[:access_token] = request.headers["HTTP_AUTHENTICATION"]
# this does not read by doorkeeper
end
end
和communities_controller.rb
class CommunitiesController < ApiController
def show
@community = Community.find params[:id]
end
def search
Query.create q: @search_form.q if @search_form.q.present?
community_search = Community.search title_or_description_cont: @search_form.q
@communities = community_search.result(distinct: true).page params[:page]
end
end
和communities_controller_spec.rb
require 'spec_helper'
describe CommunitiesController do
let!(:application) { Doorkeeper::Application.create!(name: "MyApp", redirect_uri: "http://app.com") }
let(:user){ create :user }
let!(:access_token) { Doorkeeper::AccessToken.create! application_id: application.id, resource_owner_id: user.id, scopes: "app" }
before(:each) do
request.env["HTTP_ACCEPT"] = 'application/json'
end
describe "#show" do
let(:community) { create :community }
before do
request.headers["HTTP_AUTHENTICATION"] = access_token.token
get :show, id: community
end
it { expect(response).to be_success }
it { expect(response.status).to be 200 }
end
describe "#search" do
before { get :search, access_token: access_token.token }
it { expect(response).to be_success }
it { expect(response.status).to be 200 }
end
end
和config/initializer/doorkeeper.rb
Doorkeeper.configure do
orm :active_record
resource_owner_authenticator do
User.find id: session[:user_id]
default_scopes :app
end
结果rspec communities_controller.rb就在这里。
/Users/shogochiai/Documents/anyll% be rspec spec/controllers/communities_controller_spec.rb
FF..
Failures:
1) CommunitiesController#show should be success
Failure/Error: it { expect(response).to be_success }
expected success? to return true, got false
# ./spec/controllers/communities_controller_spec.rb:20:in `block (3 levels) in <top(required)>'
2) CommunitiesController#show should equal 200
Failure/Error: it { expect(response.status).to be 200 }
expected #<Fixnum:401> => 200
got #<Fixnum:803> => 401
Compared using equal?, which compares object identity,
but expected and actual are not the same object. Use
`expect(actual).to eq(expected)` if you don't care about
object identity in this example.
# ./spec/controllers/communities_controller_spec.rb:21:in `block (3 levels) in <top(required)>'
Finished in 0.33439 seconds
4 examples, 2 failures
Failed examples:
rspec ./spec/controllers/communities_controller_spec.rb:20 # CommunitiesController#show should be success
rspec ./spec/controllers/communities_controller_spec.rb:21 # CommunitiesController#show should equal 200
Randomized with seed 18521
它似乎
before do
request.headers["HTTP_AUTHENTICATION"] = access_token.token
get :show, id: community
end
未通过身份验证
和
before { get :search, access_token: access_token.token }
已通过身份验证。
补充
我pp在控制器中进行了调试,pp request结果pp responce有一对键值对"HTTP_AUTHENTICATION": "xrfui24j53iji34.....(some Hash value)".