Forum: Ruby on Rails Generating and authenticating by API keys

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Neil C. (Guest)
on 2009-05-30 14:02
I'm trying to get my head round offering up an API for a RESTful app; is
it just a matter of;

1. adding an api_key column to the resource on which incoming requests
will made (the app has a User model but I think the API authentication
will need to be done on the Site model to which Users belong),

2. generating the API key using Digest::SHA1 or similar (the last dev
used SHA1 for the passwords),

3. authenticating via API keys in a filter (perhaps something along the
lines of option 2 here
http://www.whatcodecraves.com/articles/2008/11/25/...).

Unfortunately, the authentication lib is custom (I would much prefer to
be working with one of the community adopted plugins such as Authlogic,
which appears to have API key authentication anyway).

Am I missing anything or does that sound like a reasonable starting
point?
Matt J. (Guest)
on 2009-05-31 20:00
(Received via mailing list)
If your site is like most, API keys are handed out to users. So it
would probably be best to just store the key on the user model, and
then do a User.find_by_api_key(..etc...) in your before_filter.

--Matt J.


On May 30, 6:02 am, Neil C. <removed_email_address@domain.invalid>
Neil C. (Guest)
on 2009-05-31 21:27
Matt J. wrote:
> If your site is like most, API keys are handed out to users. So it
> would probably be best to just store the key on the user model, and
> then do a User.find_by_api_key(..etc...) in your before_filter.
>
> --Matt J.
>
>
> On May 30, 6:02�am, Neil C. <removed_email_address@domain.invalid>

Thanks Matt

I was coming to the conclusion that all apps are authorizing API keys
per user, rather than per business or account, as I was thinking of
doing in this instance.

The main reason for the original line of thought is that this
application charges for usage per 'Site' (it's a bit like you might
expect a 'Business' or 'Account' model to work) and I've been reading
that the main reason for API keys is that can be used to monitor usage -
and if I'm monitoring usage, I'm probably going to do it on a per-Site
model basis.

Here's a tutorial on how to add the API keys to restful-authentication,
in case any fellow new newbies stumble across this thread;
http://www.compulsivoco.com/2009/05/rails-api-auth...
This topic is locked and can not be replied to.