本文来源于ruby-china
https://ruby-china.org/topics/25822
1. 新建项目
rails new build-an-api-rails-demo
2. 生成控制器
#不生成资源文件
rails g controller api/v1/base --no-assets
编辑 app/controller/api/v1/base_controller.rb
class Api::V1::BaseController < ApplicationController
#disable the CSRF token
protect_from_forgery with: :null_session
#protect_form_forgery :with => :null_session
#disable the cookies (no set-cookies header in response)
before_action :destroy_session
#disable the CSRF token
skip_before_action :verify_authenticity_token
def destroy_session
request.session_options[:skip] = true
end
end
在BaseController中禁止了CSRF token 和cookies⬆️
3.配置路由
namespace :api do
namespace :v1 do
resources :users, only: [:index, :create, :show, :update, :destroy]
#⬆️⬇️两种写法是等价的
#resources :users, :only => [:index, :create, :show, :update, :destroy]
end
end
4. 生成控制器(UsersController)
rails g controller api/v1/users --no-assets
编辑app/controller/api/v1/users_controller.rb
class Api::V1::UsersController < Api::V1::BaseController
def show
@user = User.find(params[:id])
end
end
编辑app/views/api/v1/users/show.json.jbuilder
json.user do
json.(@user, :id, :email, :name, :activated, :admin, :created_at, :updated_at)
end
5. 建立User模型和users表
rails g model User
app/models/user.rb
class User < ActiveRecord::Base
end
db/migrate/****_create_users.rb
class CreateUsers < ActiveRecord::Migration
def change
create_table :users do |t|
t.string :email
t.string :name
t.datetime :activated
t.boolean :admin, default: false
t.timestamps null: false
end
end
end
6. 生成测试数据
db/seeds.rb
users = User.create([
{
email: 'test01@example.com',
name: 'test01',
activated: DateTime.now,
admin: false
},
{
email: 'test02@example.com',
name: 'test02',
activated: DateTime.now,
admin: false
}
])
创建种子数据
rake db:seed
7. 运行服务器并测试
rails s -b 0.0.0.0
#
curl -i http://localhost:3000/api/v1/users/1.json
8. 增加认证过程
上述的过程并没有用户认证,可以直接获取用户信息,这是不安全的.
认证过程是这样的,用户把用户名和密码通过HTTP POST请求发送到API,如果用户名和密码匹配,我们就会把token发送给用户。这个token就是用来证明用户身份的凭证。然后在以后的每个请求中,我们通过这个token来查找用户,如果没有找到就返回401错误
#给User模型增加authentication_token属性
rails g migration add_authentication_token_to_users
db/migrate/***_add_authentication_token_to_users.rb
class AddAuthenticationTokenToUsers < ActiveRecord::Migration
def change
add_column :users, :authentication_token, :string
end
end
rake db:migrate
生成authentication_token
app/model/user.rb
class User < ActiveRecord::Base
before_create :generate_authentication_token
def generate_authentication_token
loop do
self.authentication_token = SecureRandom.base64(64)
break if !User.find_by(authentication_token: authentication_token)
end
end
def reset_auth_token!
generate_authentication_token
save
end
end
9. 生成session控制器(用户认证用)
rails g controller api/v1/sessions --no-assets
app/controller/api/v1/sessions_controller.rb
class Api::V1::SessionsController < Api::V1::BaseController
def create
@user = User.find_by(email: create_params[:email])
#authenticate是bcrypt这个Gem包中的方法
if @user && @user.authenticate(create_params[:password])
self.current_user = @user
else
return api_error(status: 401)
end
end
private
def create_params
params.require(:user).permit(:email, :password)
end
end
10. 给User模型增加password相关属性
在Gemfile里将gem 'bcrypt'
#Use ActiveModel has_secure_password
gem 'bcrypt'
app/models/user.rb
class User < ActiveRecord::Base
#加这句话user有password属性,对应表字段password_digest
#可以用user.password = "123",自动转化为加密字符串
+has_secure_password
end
给User模型增加password_digest属性
rails g migration add_password_digest_to_users
db/migratie/***_add_password_to_users
class AddPasswordDigestToUsers < ActiveRecord::Migration
def change
add_column :users, :password_digest, :string
end
end
rake db:migrate
给数据库中已存在的测试用户增加密码和authentication token
#在rails console中执行,但是console不能执行多行。所以这个意思
User.all.each {|user| user.password = '123123' user.reset_auth_token!
user.save }
实现current_user方法
app/controller/api/v1/base_controller.rb
class Api::V1::BaseController < ApplicationController
+ attr_accessor :current_user
end
实现app/views/api/v1/sessions/create.json.jbuilder
#返回用户信息和access_token,后续根据access_token就可以访问
json.session do
json.(@user, :id, :name, :admin)
json.token @user.authentication_token
end
实现api_err
class Api::V1::BaseController < ApplicationController
+ def api_error(opts = {})
+ render nothing: true, status: opts[:status]
+ end
end
api_error(status: 401)
11. 验证用户token
class Api::V1::BaseController < ApplicationController
+ def authenticate_user!
+ token, options = ActionController::HttpAuthentication::Token.token_an_options
+ user_email = options.blank?? nil : options[:email]
+ user = user_email && User.find_by(email: user_email)
+ if user && ActiveSupport::SecurityUtils.secure_compare(user.authentication_token, token)
+ self.current_user = user
+ else
+ return unauthenticated!
+ end
+ end
end
英语小课堂
authenticity n. 真实性,确实性;可靠性
authentication n. 证明;鉴定;证实