Authlogic and Single Access Token

Question

I am having a hard time finding a simple tutorial on how to enable single access token authentication using authlogic. There is some documentation but it isn't very helpful.

I added single_access_token to my db, I added this:

  single_access_allowed_request_types :any

to my Session class. but I still don't understand how a user is authenticated using the credentials param that is passed over every call. My require_authentication before filter does a standard check for current_user like this:

 def current_session
    return @current_session if @current_session
    @current_session = Session.find
  end

  def current_user
    @current_user = current_session && current_session.record
  end

But is that enough to work? Does the Session.find method do the magic to log the user is based on my params or do I have to create separate method that actually check if the user_credentials param is there and then find the user based on it and then log that user in. I am confused if I really am "creating" a new session everytime I use a SAT or if I'm just setting current user in a before filter every time an API call is made.

Any help would be amazing! Thanks!

Answer 1

I implemented a single_access_token solution with authlogic and what I had to do was add single_access_allowed_request_types :all to the UserSession model.

Then I added the following to the controller where I wanted to allow single_access_token authentication.

  def single_access_allowed?
      ["some_action_1","some_action_2","some_action_3"].include?(action_name)
  end

It looks like you're missing the controller code. So if you had two actions "get_user_info" and "update_user_info" you would add.

  def single_access_allowed?
      ["get_user_info","update_user_info"].include?(action_name)
  end

Answer 2

The only thing I had to do make this work was

• add a field called single_access_token to my users-table
• add a method called single_access_allowed? to each controller where single access should be allowed.

This method would look like this:

# method for authlogic: defines for which action the single-access-token can be used
def single_access_allowed?
  (action_name == "deliver") || (action_name == "delivery_status")
end

I did not have to add anything in UserSessionsController or the UserSession object. Authlogic handles that for you. With a single-access-token only one request is authenticated, so there is not a persistent session. Each request has to send the single-access-token. Hence the name: a token to get a single access :)

Hope this helps.