Class: Api::V1::BaseController

Inherits:
ApiController
  • Object
show all
Includes:
ActionController::Flash
Defined in:
app/controllers/api/v1/base_controller.rb

Instance Method Summary collapse

Instance Method Details

#add_generic_headers!Object


31
32
33
34
# File 'app/controllers/api/v1/base_controller.rb', line 31

def add_generic_headers!
  response.headers['X-Ekylibre-Media-Type'] = 'ekylibre.v1'
  # response.headers['Access-Control-Allow-Origin'] = '*'
end

#authenticate_api_user!Object


42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# File 'app/controllers/api/v1/base_controller.rb', line 42

def authenticate_api_user!
  user = nil
  token = nil
  if authorization = request.headers['Authorization']
    keys = authorization.split(' ')
    if keys.first == 'simple-token'
      return authenticate_user_from_simple_token!(keys.second, keys.third)
    end
    render status: :bad_request, json: { message: 'Bad authorization.' }
    return false
  elsif params[:access_token] && params[:access_email]
    return authenticate_user_from_simple_token!(params[:access_email], params[:access_token])
  end
  render status: :unauthorized, json: { message: 'Unauthorized.' }
  false
end

#authenticate_user_from_simple_token!(email, token) ⇒ Object

Check given token match with the user one and


61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# File 'app/controllers/api/v1/base_controller.rb', line 61

def authenticate_user_from_simple_token!(email, token)
  user = User.find_by(email: email)
  # Notice how we use Devise.secure_compare to compare the token
  # in the database with the token given in the params, mitigating
  # timing attacks.
  if user && Devise.secure_compare(user.authentication_token, token)
    # Sign in using token should not be tracked by Devise trackable
    # See https://github.com/plataformatec/devise/issues/953
    env['devise.skip_trackable'] = true
    # Notice the store option defaults to false, so the entity
    # is not actually stored in the session and a token is needed
    # for every request. That behaviour can be configured through
    # the sign_in_token option.
     user, store: false
    return true
  end
  render status: :unauthorized, json: { message: 'Unauthorized.' }
  false
end

#force_json!Object


37
38
39
# File 'app/controllers/api/v1/base_controller.rb', line 37

def force_json!
  request.format = 'json'
end