构建背景: rails + device
1. 在user中增加authentication_token字段后
#models/user.rb
class User < ActiveRecord::Base
before_save :ensure_authentication_token
.......
# token为空时自动生成新的token
def ensure_authentication_token
if authentication_token.blank?
self.authentication_token = generate_authentication_token
end
end
private
# 保证tokend的唯一
def generate_authentication_token
loop do
token = Devise.friendly_token
break token unless User.where(authentication_token: token).first
end
end
end
2. 为程序全局添加一个token认证方法
#controllers/application_controller.rb class ApplicationController < ActionController::Base # 因为用作API,所以关闭防CSRF不然会出问题 protect_from_forgery with: :null_session private # 获取http:/xxx.com/books.json?token=aMUj5kiyLbmZdjpr_iAu # 判断token的值是否存在,若存在且能在User表中找到相应的,就登录此用户 def authenticate_user_from_token! token = params[:token].presence user = token && User.find_by_authentication_token(token.to_s) if user sign_in user, store: false end end end
3. 让登录、注册返回token
##app/controllers/users/registrations_controller.rb def create @user = User.new(user_params) respond_to do |format| if @user.save format.json { render json: { success: true, token:@user.authentication_token, user_id:@user.id }} end end end private def user_params params.require(:user).permit(:email, :password, :password_confirmation) end #app/controllers/users/sessions_controller.rb def create ##验证邮箱是否存在 user = User.find_for_database_authentication(:email => params[:user][:email]) return render json: {error: {status:-1}} unless user respond_to do |format| #验证密码是否正确 if resource.valid_password?(params[:user][:password]) sign_in("user", user) user.ensure_authentication_token format.json { render json: {token:user.authentication_token, user_id: user.id} } else format.json { render json: {error: {status:-1}} } end end end #注销就是更换用户token def destroy current_user.authentication_token = Devise.friendly_token sign_out(current_user) render json: {success: true} end
使用
1.客户端发送帐号密码到服务端,服务器验证成功后返回token,客户端将token保存在本地
2.在需要认证身份的请求(GET、POST、DELETE)的url后加上?user=xxxxxxxxxx这样的字串,比如:
http:/xxx.com/books.json?token=aMUj5kiyLbmZdjpr_iAu
用curl发送请求举例:
#注册 curl -X POST -H 'Content-Type: application/json' -d '{"user":{"password":"12345678","password_confirmation":"12345678","email": "12345678@x.com"}}' http://localhost:3000/users.json #登录 curl -X POST -H 'Content-Type: application/json' -d '{"user":{"email": "12345678@x.com","password": "12345678"}}' http://localhost:3000/users/sign_in #得到返回json: {"user_token":"aMUj5kiyLbmZdjpr_iAu","user_id":1} #新建comment curl -X POST -H "Content-Type: application/json" -d '{"comment":{"comment_content":"test"}}' localhost:3000/comments.json?user_token=aMUj5kiyLbmZdjpr_iAu