Hi Guyren, I've been mostly using devise lately, but as I recall you want to set up either token based auth for you API* *or connect them with http basic auth. The later is what I've used in the past. Which token in Authlogic is confusing (dare I say illogical?) though there is this explanation in the authlogic_example repo:
- Persistence token: Used by Authlogic internally, it is stored in your cookies and sessions to persist the user. This is much more secure than plainly storing the user’s id. - Single access token: Use this for a private feed or API access. Ex: www.whatever.com?user_credentials=[single<http://www.whatever.com/?user_credentials=%5Bsingle> access token]. Grants access but does NOT persist. - Perishable token: Great for authenticating users to reset passwords, confirm their account, etc. The thing I struggled with the most is that "Single access" means you send the token on every API call (which is common), *not* that the token gets used once and doesn't work a second time. The Single Access token is therefor a form of UUID. Best, Rob On Fri, Feb 25, 2011 at 03:52, Guyren Howe <[email protected]> wrote: > I’m finding this surprisingly difficult to sort out. > > I’ve a website that is mostly for access by a REST API. It uses Authlogic. > > I naively assumed that if the API client had the user authenticate and then > returned the cookie on subsequent actions that they would be logged in, but > they aren’t. > > Further experimentation shows that if I send a form by putting a static > file in the public directory, the user isn’t being authenticated when that > is submitted either. > > What am I missing here? I’m seeing scattered references to > single_access_token, all of which seem to assume that you already know what > that is and how to use it from your client app, so I can’t find a single > clear statement of what’s going on. > > I’m tempted to generate a UUID and dispense it to the client on login, then > have them feed that back to me as one of the url args. But this seems blunt > and stupid when presumably the login information is there in the user’s > cookie. > > I’ve spent hours googling this without finding a clear statement of what is > best practice for secure access to an authlogic site. > > -- > SD Ruby mailing list > [email protected] > http://groups.google.com/group/sdruby -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby
