I believe that I’ve set up everything such that single_access_token
should be sufficient to pull a user’s session.
The scenario is:
Bob uses Firefox and creates an account on LoginUI (http://
www.coolaj86.info/loginui).
Instead of using cookies, Bob’s single_access_token comes in the
response to the request.
LoginUI submits Bob’s single_access_token with every request
(essentially using it as though it were the persistence token).
Bob clicks ‘account settings’ and changes his password, but the
request fails.
The request fails because the record is not found (presumably it’s
trying to find Bob by the persistence token rather than the single
access token.
I’ve been very thorough in looking through the documentation, but I
must be missing something. What is it that I’m neglecting?
class UsersController < ApplicationController
def update
# params[:user_credentials].inspect shows the correct
‘xxxSingle_Access_Tokenxxx’
user_hash = RegisteredUserSession.find.record
user = RegisteredUser.find(user_hash)
user.update(params[:user])
user.save
respond_to do |format|
format.json { head :ok }
end
end
private
def single_access_allowed?
true
end
end
class UserSession < Authlogic::Session::Base
allow_http_basic_auth = true
params_key = ‘user_credentials’
single_access_allowed_request_types = :all
end
class RegisteredUserSession < UserSession
end
class User < ActiveRecord::Base
set_table_name “users”
attr_accessible :display_name, :email, :password
acts_as_authentic do |c|
c.require_password_confirmation = false
end
class << self
def public_hash(obj)
{
:display_name => obj.display_name,
:email => obj.email,
:single_access_token => obj.single_access_token,
:errors => obj.errors
}
end
end
end
class RegisteredUser < User
attr_accessible :display_name, :email, :password
validates_presence_of :display_name
validates_length_of :password, :within=>6…254
acts_as_authentic do |c|
c.require_password_confirmation = false
c.change_single_access_token_with_password = true
c.email_field = ‘email’
end
end