Authenticating a user after #create

Question

This seems to keep coming up for me on various projects and I'm wondering if anyone out there has a great solution:

We have a Rails app with Authlogic authentication. Initially, there's a nice, clean, RESTful ListingsController that requires a user to be logged in before they can post/create:

before_filter :require_user, :only => [ :new, :create]

However, after seeing this in action we decide we need to try out a different flow where unregistered users can fill out the form for the Listing first and then be prompted to register/login. If they abandon registration, we don't need to create the Listing. If they authenticate, we want to wire up the Listing with the current_user as we would normally.

A couple possible snags:

1. The new Listing form allows users to upload files that we store with Paperclip.
2. Authentication may happen through a series of redirects for facebook or twitter.

I feel like this authenticate post-creation scenario is a common enough that there would be some resources on standard methods for attacking it, but I haven't really found much. Anyone have a good solution or resource for this?

Thanks!

Answer 1

One solution is to generate a unique token and store it in your model (say Listing.pending_id), then write the same token to a cookie. Later, when the client is first authenticated, you check for a 'pending_id' cookie and link it to the relevant listing if found.

You'd have to schedule a task to remove any unfinished listings older than (x), and make sure that any pending Listings were excluded from normal operations (searching, listing, etc). Depending on your application you might be better off creating a separate PendingListing model and database table.

One downside with this approach is that the listing would not be recovered if added on one computer/browser, but authenticated on another.