问题
I am running devise 1.3.4 with rails 3.0.7. I have two ways users may sign in: using the web app, and using a mobile web app (via a JSON API call). The first way is handled perfectly by the default devise sessions controller. The API-call method of authentication needs to be in a controller that extends my Api::BaseController
. So, I wrote this second controller like this:
class Api::UserSessionsController < Api::BaseController
…
def create
user = warden.authenticate(:scope => :user)
if user
sign_in(:user, user)
else
# Do some error handling
end
end
end
Attempts to login via this method fail due to the valid_controller?
method in Devise::Strategies::Authenticatable
. Because I have left the default controller (devise/sessions
) as the mapped controller for users, it does not allow authentications from my custom controller.
I would like to roll my custom functionality into my own subclass of Devise::SessionsController
, but I need the API sessions controller to extend the API::BaseController
, so I can't extend Devise::SessionsController
as well. I don't want to place the working, default-behavior web-app authentication methods in the API controller, especially because this would require copying them from the devise controller.
Any suggestions? Is there some config I'm missing that allows multiple controllers to handle sessions? the valid_controller?
method does an ==
comparison, not .include?
, so I don't see how that would work.
UPDATE
This is an awful temporary workaround. I don't like it, so I'm not posting it as an answer, but I thought it might offer food-for-thought to all you answerer-types:
In the top of my create method, I could override what Devise expects to be the sessions controller.
Devise.mappings[:user].controllers[:sessions] = params[:controller]
This is working around Devise's intended functionality (requiring a single, specific controller to do session creation) so I don't want to keep it. I wonder if this constraint is a security measure or just a convention -- if it is for security, this is presumably quite bad.
回答1:
I can only suggest another workaround (maybe less awful?) In an initializer you can overwrite #valid_controller?, like this:
require 'devise/strategies/authenticatable'
require 'devise/strategies/database_authenticatable'
class Devise::Strategies::DatabaseAuthenticatable
def valid_controller?
# your logic here
true
end
end
I'd be interested in knowing the reason of this constraint too
回答2:
I'm using Devise 2.2.7 with Rails 3.2.13. Both of the above methods did not work for me: the valid_vontroller?
method in Devise::Strategies::DatabaseAuthenticatable
does not exist anymore. The Devise.mappings[:user].controllers[:sessions]
trick did not work for me either.
After digging through this thread I found valid_params_request? which is responsible for ensuring that the request should be sent through the authentication system. There is a helper method, allows_params_authentication!, which is what enables the Devise::SessionsController to process authentication requests.
You can authenticate a user from any controller by:
def signin
allow_params_authentication!
authenticate_user!
end
If you want to redirect to a custom page when authentication fails:
resource = warden.authenticate!({
:scope => :user,
:recall => "#{controller_path}#login"
})
sign_in(:user, resource)
I came across the need for handling authentication outside a subclass of Devise::SessionsController
by developing an engine that works alongside of Spree Commerce, which already implements devise authentication.
来源:https://stackoverflow.com/questions/6143814/devise-have-multiple-controllers-handle-user-sessions