devise
devise copied to clipboard
heartcombo
per-Controller auth strategies
Adding BlahController.strategies config to allow only specific strategies to be run on a per-controller basis. The best example of this is we have at least 5 strategies for our User class, but when it comes to our API controllers we only want :jwt to run, ignoring database_authenticatable, yubi_key, etc.
This was my initial solution, before this pull request.
https://robl.me/posts/the-magical-devise-journey
I'd like to bump this PR.
We have the same use case: API should only use token authentication, rest of the app tries all approaches. And I'd guess we're not be the only ones..
Anything speaking against integrating it into devise? Happy to help with the PR in case anything is still missing.
Just for the record, another solution I've seen encouraged for this problem is to set something in the Rails/request env in the controller and check it in the Strategy. Ex:
class Api::Users::SessionsController
prepend_before_action :skip_token_strategy!, only: :create
private def skip_token_strategy!
request.env['devise.skip_token_strategy'] = true
end
end
class Devise::Strategies::Token
def valid?
!env['devise.skip_token_strategy']
end
end
Not suggesting anything one way or the other; just anticipating what other responses to this proposal might be. (Ex: "This can already be done, and strategy eligibility / validity should be determined in the Strategy itself.")
Not sure how I feel about that solution. A Strategy should be able to understand what is valid or not sure. Say, if it's a JWT token request and maybe forcing the request to be JSON. That I could understand. But deciding on whether to force the request to be invalid for some other arbitrary reason seems unreasonable to inject a reason to cause the Strategy to fail, not to mention that it will run every Strategy which is unnecessary if you know you only want to run one of them.
Not sure what the hell has happened after my merge of upstream, now I have 23 file changes :S