Forum: Ruby on Rails So how do I work authentication into an API?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
42172acdf3c6046f84d644cb0b94642c?d=identicon&s=25 Pat Maddox (pergesu)
on 2007-01-19 16:31
(Received via mailing list)
We've built a RESTful API that's really easy to use.  The question now
is how do I build in authentication?  My app itself has uses
acts_as_authenticated to manage authentication when someone is using
the app.  But what about when they're using the API remotely instead?
I'm not sure how to handle that.  Thanks for any info.

Pat
42172acdf3c6046f84d644cb0b94642c?d=identicon&s=25 Pat Maddox (pergesu)
on 2007-09-25 22:30
(Received via mailing list)
On 1/11/07, Justin Williams <carpeaqua@gmail.com> wrote:
>
> Use HTTP AUTH.  Check this out for more information:
> http://blogs.23.nu/c0re/stories/7409/
>
> There's also the restful_authentication plugin:
> http://svn.techno-weenie.net/projects/plugins/rest...

I actually am using the restful_authentication plugin to handle
authentication...it'd be sweet if I could just use that without making
too many changes.

Basically the problem is that the authentication is stored in the
session (as the first link discusses).  So if my client code isn't
managing a session, I can't use it.

Net::HTTP.start('localhost', 3000) do |http|
  http.post "/sessions", "login=myusername&password=mypassword"
  response = http.post "/users/7/books", "book[title]=supercool"
  puts response.body
end

That should create a new book resource, but it just redirects to the
login page.  I can only assume that it's because Net::HTTP.start
doesn't actually handle session stuff.

One approach that I've seen is to have an API key and pass that in as
a parameter on requests.  That seems like it'd probably be the easiest
approach.  I don't know if it's best though.

I'd like to figure out the best way to do this, ideally just using
restful_authentication and all the user info I have right now.
Clients are going to be whatever they want to be...I just need a way
of controlling access to the resources we're exposing.

Pat
96956a77a329c7f8622e7c81396655fd?d=identicon&s=25 Justin Williams (Guest)
on 2007-09-25 22:46
(Received via mailing list)
Use HTTP AUTH.  Check this out for more information:
http://blogs.23.nu/c0re/stories/7409/

There's also the restful_authentication plugin:
http://svn.techno-weenie.net/projects/plugins/rest...

-
Justin Williams
Owner, Second Gear
http://www.secondgearllc.com/
-
Check out Porchlight: bug tracking for small teams
<http://www.porchlightnow.com>
42172acdf3c6046f84d644cb0b94642c?d=identicon&s=25 Pat Maddox (pergesu)
on 2007-09-25 22:46
(Received via mailing list)
On 1/11/07, Pat Maddox <pergesu@gmail.com> wrote:
> I'd like to figure out the best way to do this, ideally just using
> restful_authentication and all the user info I have right now.
> Clients are going to be whatever they want to be...I just need a way
> of controlling access to the resources we're exposing.

Actually, it looks like it'll be really easy with HTTP AUTH.
http://ryandaigle.com/articles/2006/12/4/whats-new...
has info on a new http auth plugin.  I tried it out just now and it
seems to work great.

So the only consideration here is that every single request requires
that the username and password be included in the URL.  Is that a bad
thing?  Obviously a client can wrap that up, but I'd just like to know
if it's bad for some reason to have to include auth info in each
request.  One possibly downside is that either all auth info is
unencrypted from now on, or every request has to be done through SSL.

Pat
This topic is locked and can not be replied to.