tags:

views:

956

answers:

2
+1  Q: 

Validate API with Authlogic

I'm using Authlogic for authentication in my app, using the standard User and UserSession models. I'm building an API into my app, and I want to authenticate API access with a single access token. In my app, every User belongs_to a Company, which has_many users. The API is for access to resources belonging to the company, so I'd like to use one single access token for the whole company.

My initial thought was to add a dummy user to Company that only has permission to access the API, whose single access token the company would then use to grant access to the API. It doesn't appear that I can set a user's e-mail and password blank with AuthLogic, so this isn't panning out. My next thought was perhaps I could add acts_as_authentic to the company itself, but I'm not sure how this would work.

I really want to use Authlogic for the solution because it integrates nicely with my ACL, and appears to have the functionallity I'm looking for mostly built in.

Is it possible to have two models that act_as_authentic? Is there an easier way that I'm not thinking of, built into Authlogic? Is there a way I can use a dummy user for their API key? Which way should I do this?

+1  A: 

The way I do this is:

class Something
  acts_as_authentic do |m|
    # API keys are auto generated (See +regenerate_api_key+.)
    # The password is not used for authentication (its just an api_key lookup), so a dummy field is used
    m.login_field = :api_key
    m.validate_login_field = false
    m.validate_email_field = false
    m.crypted_password_field = :api_key_hash
    m.require_password_confirmation = false
    m.validate_password_field = false
    m.crypto_provider = ApiKeyCrypto
  end
end

class ApiKeyCrypto
  def self.encrypt(*tokens)
    'X'
  end

  def self.matches?(crypted, *tokens)
    crypted == 'X'
  end
end

#application_controller.rb
def current_session
  return @current_session if defined?(@current_session)
  ...
    format.any(*api_formats) do
      @current_session = SomethingSession.find
    end
  end
  @current_session
end
def api_formats
  [:xml, :json]
end

This works great for ActiveResource FYI.

BJ Clark  2009-11-07 03:35:17
+1  A: 

Sure, you can have two models acts_as_authentic. Set up the Company with the minimum Authlogic db fields , and use it's single_access_token for API access. Note that your API will not know which User is using the system, just the Company.

Jonathan Julian  2009-11-07 16:22:11

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.