Ruby ways to authenticate using headers?

Question

I am designing an API system in Ruby-on-Rails, and I want to be able to log queries and authenticate users.

However, I do not have a traditional login system, I want to use an APIkey and a signature that users can submit in the HTTP headers in the request. (Similar to how Amazon's services work)

Instead of requesting /users/12345/photos/create I want to be able to request /photos/create and submit a header that says X-APIKey: 12345 and then validate the request with a signature.

Are there any gems that can be adapted to do that? Or better yet, any gems that do this without adaptation?

Or do you feel that it would be wiser to just have them send the API key in each request using the POST/GET vars?

Answer 1

You probably use an authentication library already. It probably has a way to override the way it checks for authentication. Most likely, the method is named authenticated?. Refer to the documentation for the library you are using, though.

I would not have looked for an existing gem, but implemented it myself; doing so shouldn't be too hard. Here's an example boilerplate implementation:

class ApplicationController < ActionController::Base
  def authenticated?
    current_user.is_a?(User)
  end

  def current_user
    user_from_session || user_from_api_key
  end

  def user_from_session
    # ... use session[:user] or whatever.
  end

  def user_from_api_key
    User.find_by_api_key(request.headers["X-APIKey"])
  end
end

That's as specific as I can get, since you don't say anything about your current authentication setup.