Ruby on rails 401未经授权使用Desive和Rails api进行放置/修补/删除
我有一个RAILS API,它集成了Desive和Doorkeeper。我的POST注册请求#创建作品,但PUT/PATCH/DELETE导致“401未经授权”错误。我怀疑Desive上的身份验证可能存在一些问题,但这正是我遇到的问题。也许我不知道如何处理当前用户或在筛选之前跳过?我尝试了很多方法,比如添加Ruby on rails 401未经授权使用Desive和Rails api进行放置/修补/删除,ruby-on-rails,devise,routes,Ruby On Rails,Devise,Routes,我有一个RAILS API,它集成了Desive和Doorkeeper。我的POST注册请求#创建作品,但PUT/PATCH/DELETE导致“401未经授权”错误。我怀疑Desive上的身份验证可能存在一些问题,但这正是我遇到的问题。也许我不知道如何处理当前用户或在筛选之前跳过?我尝试了很多方法,比如添加 skip_before_filter :verify_authenticity_token skip_before_filter :authenticate_user! 谢谢大家! rou
skip_before_filter :verify_authenticity_token
skip_before_filter :authenticate_user!
谢谢大家!
routes.rb
require 'api_constraints'
Rails.application.routes.draw do
use_doorkeeper
devise_for :users, only: [:registrations, :passwords, :confirmations], controllers: {registrations: "api/registrations"}, defaults: { format: :json }
namespace :api, defaults: { format: :json }, constraints: { subdomain: 'api' }, path: '/' do
scope module: :v1, constraints: ApiConstraints.new(version: 1, default: true) do
get 'users/me', to: 'users#me'
end
end
end
耙道
Prefix Verb URI Pattern Controller#Action
GET /oauth/authorize/:code(.:format) doorkeeper/authorizations#show
oauth_authorization GET /oauth/authorize(.:format) doorkeeper/authorizations#new
POST /oauth/authorize(.:format) doorkeeper/authorizations#create
DELETE /oauth/authorize(.:format) doorkeeper/authorizations#destroy
oauth_token POST /oauth/token(.:format) doorkeeper/tokens#create
oauth_revoke POST /oauth/revoke(.:format) doorkeeper/tokens#revoke
oauth_applications GET /oauth/applications(.:format) doorkeeper/applications#index
POST /oauth/applications(.:format) doorkeeper/applications#create
new_oauth_application GET /oauth/applications/new(.:format) doorkeeper/applications#new
edit_oauth_application GET /oauth/applications/:id/edit(.:format) doorkeeper/applications#edit
oauth_application GET /oauth/applications/:id(.:format) doorkeeper/applications#show
PATCH /oauth/applications/:id(.:format) doorkeeper/applications#update
PUT /oauth/applications/:id(.:format) doorkeeper/applications#update
DELETE /oauth/applications/:id(.:format) doorkeeper/applications#destroy
oauth_authorized_applications GET /oauth/authorized_applications(.:format) doorkeeper/authorized_applications#index
oauth_authorized_application DELETE /oauth/authorized_applications/:id(.:format) doorkeeper/authorized_applications#destroy
oauth_token_info GET /oauth/token/info(.:format) doorkeeper/token_info#show
user_password POST /users/password(.:format) devise/passwords#create {:format=>:json}
new_user_password GET /users/password/new(.:format) devise/passwords#new {:format=>:json}
edit_user_password GET /users/password/edit(.:format) devise/passwords#edit {:format=>:json}
PATCH /users/password(.:format) devise/passwords#update {:format=>:json}
PUT /users/password(.:format) devise/passwords#update {:format=>:json}
cancel_user_registration GET /users/cancel(.:format) api/registrations#cancel {:format=>:json}
user_registration POST /users(.:format) api/registrations#create {:format=>:json}
new_user_registration GET /users/sign_up(.:format) api/registrations#new {:format=>:json}
edit_user_registration GET /users/edit(.:format) api/registrations#edit {:format=>:json}
PATCH /users(.:format) api/registrations#update {:format=>:json}
PUT /users(.:format) api/registrations#update {:format=>:json}
DELETE /users(.:format) api/registrations#destroy {:format=>:json}
user_confirmation POST /users/confirmation(.:format) devise/confirmations#create {:format=>:json}
new_user_confirmation GET /users/confirmation/new(.:format) devise/confirmations#new {:format=>:json}
GET /users/confirmation(.:format) devise/confirmations#show {:format=>:json}
api_users_me GET /users/me(.:format) api/v1/users#me {:format=>:json, :subdomain=>"api
注册_controller.rb(覆盖设备)
include ActionController::ImplicitRender
类Api::RegistrationController<设计::RegistrationController
清除\u响应\u
回复:json
回复:html,仅限:[]
回复:xml,仅限:[]
在\u筛选器之前跳过\u:验证\u真实性\u令牌
前过滤器:不允许,仅:[:新建,:编辑,:取消]
不允许使用def_
呈现json:{error:“不允许方法”},状态:405
结束
私有的
def注册参数
参数require(:user).permit([
:电邮,
:密码,
:密码\u确认,
:名字,
:姓,
])
结束
def帐户更新参数
参数require(:user).permit([
:电邮,
:名字,
:姓,
:密码,
:密码\u确认,
:当前密码
])
结束
结束
Application.rb
class ApplicationController < ActionController::API
respond_to :json
before_filter :cors_preflight_check
after_filter :cors_set_access_control_headers
def cors_preflight_check
if request.method == 'OPTIONS'
headers['Access-Control-Allow-Origin'] = '*'
headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-Prototype-Version, Token'
headers['Access-Control-Max-Age'] = '1728000'
render text: '', content_type: 'text/plain'
end
end
def cors_set_access_control_headers
headers['Access-Control-Allow-Origin'] = '*'
headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
headers['Access-Control-Allow-Headers'] = 'Origin, Content-Type, Accept, Authorization, Token'
headers['Access-Control-Max-Age'] = "1728000"
end
def current_resource_owner
User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token
end
end
class ApplicationController
您有选择地覆盖设计::注册控制器
方法,这些方法是:新建、:编辑、:取消
您的类中未定义Rest方法,因此它们将由designe::RegistrationsController
提供服务
如果打开Desive,您将看到:
class Devise::RegistrationsController < DeviseController
prepend_before_filter :require_no_authentication, only: [:new, :create, :cancel]
prepend_before_filter :authenticate_scope!, only: [:edit, :update, :destroy]
class designe::RegistrationsController
正如您可以看到的那样,:create
操作不需要身份验证,因此您不会看到401 forPOST
请求,因为它与create
操作匹配
PUT/PATCH
匹配到需要验证的update
操作,同样DELETE
匹配到同样需要验证的“destroy”操作,因此您得到了此错误
要解决此问题,请在覆盖
RegistrationController
中的操作后为受保护的操作添加筛选器:验证\u真实性\u令牌是否禁用控制器上的CSRF保护。和在过滤之前跳过:验证用户代码>应该可以工作。谢谢@Anial Maurya,我必须在过滤器:身份验证范围之前加入跳过代码>在我的自定义注册控制器中,并添加门卫\u authorize:api
。此外,我还必须覆盖当前用户
和更新资源
,以使完整的CRUD操作正常工作。
class Devise::RegistrationsController < DeviseController
prepend_before_filter :require_no_authentication, only: [:new, :create, :cancel]
prepend_before_filter :authenticate_scope!, only: [:edit, :update, :destroy]