Problem z cURL DELETE token authentication

ukson · June 7, 2014, 12:39pm

Chce zrobić RESTowe API do serwera railsowego, aby móc korzytać z niego za pomocą apki mobilnej. Bazuję na
http://lucatironi.github.io/tutorial/2012/10/15/ruby_rails_android_app_authentication_devise_tutorial_part_one/

Z racji, że w nowszych wersjach devise nie ma token authentication zrobiłem go przy użyciu tego:

gist.github.com

https://gist.github.com/josevalim/fb706b1e933ef01e4fb6

1_unsafe_token_authenticatable.rb

# This snippet shows how TokenAuthenticatable works in Devise today.
# In case you want to maintain backwards compatibility, you can ditch
# devise's token mechanism in favor of this hand-rolled one. If not,
# it is recommended to migrate to the mechanism defined in the following
# snippet (2_safe_token_authenticatable.rb).
#
# In both snippets, we are assuming the User is the Devise model.
class User < ActiveRecord::Base
  # You likely have this before callback set up for the token.
  before_save :ensure_authentication_token

This file has been truncated. show original

2_safe_token_authentication.rb

# We could make the authentication mechanism above a bit more safe
# by requiring a token **AND** an e-mail for token authentication.
# The code in the model looks the same, we just need to slightly
# change the controller:
class ApplicationController < ActionController::Base
  # This is our new function that comes before Devise's one
  before_filter :authenticate_user_from_token!
  # This is Devise's authentication
  before_filter :authenticate_user!

This file has been truncated. show original

Tutaj pojawia się mój problem - kiedy testuję API cURLem POST działa, za to DELETE nie. Kiedy próbuję

curl -v -H 'Content-Type: application/json' -H 'Accept: application/json' -X DELETE http://localhost:3000/api/v1/sessions/\?auth_token\=CvX8WZr2MjVhWYxxEXYy

albo

curl -v -H 'Content-Type: application/json' -H 'Accept: application/json' -X DELETE http://localhost:3000/api/v1/sessions -d "{\"auth_token\":\"CvX8WZr2MjVhWYxxEXYy\"}"

oczywiście z moim tokenem, otrzymuję reponse

{"error":"You need to sign in or sign up before continuing."} oraz HTTP/1.1 401 Unauthorized

W dodatku log z serwera wygląda następująco:

Started DELETE "/api/v1/sessions" for 127.0.0.1 at 2014-06-07 03:11:17 +0200
Processing by Api::V1::SessionsController#destroy as JSON
  Parameters: {"auth_token"=>"CvX8WZr2MjVhWYxxEXYy", "session"=>{"auth_token"=>"CvX8WZr2MjVhWYxxEXYy"}}
Completed 401 Unauthorized in 1ms

Kod moich kluczowych plików:

application_controller.rb

class ApplicationController < ActionController::Base
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :exception

    before_filter :authenticate_user_from_token!
    before_filter :authenticate_user!

    private
    def authenticate_user_from_token!
        user_email = params[:user_email].presence
        user = user_email && User.find_by_email(user_email)

        if user && Devise.secure_compare(user.authentication_token, params[:user_token])
            sign_in user, store: false
        end
    end
end

sessions_controller.rb

class Api::V1::SessionsController < Devise::SessionsController
  skip_before_filter :verify_authenticity_token,
                     :if => Proc.new { |c| c.request.format == 'application/json' }

  respond_to :json

  def create
    warden.authenticate!(:scope => resource_name, :recall => "#{controller_path}#failure")
    render :status => 200,
           :json => { :success => true,
                      :info => "Logged in",
                      :data => { :auth_token => current_user.authentication_token } }
  end

  def destroy
    warden.authenticate!(:scope => resource_name, :recall => "#{controller_path}#failure")
    current_user.update_column(:authentication_token, nil)
    render :status => 200,
           :json => { :success => true,
                      :info => "Logged out",
                      :data => {} }
  end

  def failure
    render :status => 401,
           :json => { :success => false,
                      :info => "Login Failed",
                      :data => {} }
  end
end

user.rb

class User < ActiveRecord::Base
  # Include default devise modules. Others available are:
  # :confirmable, :lockable, :timeoutable and :omniauthable
  devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable,
         :confirmable

  attr_accessible :name, :email, :password, :password_confirmation, :remember_me

  before_save :ensure_authentication_token

  def ensure_authentication_token
      if authentication_token.blank?
          self.authentication_token = generate_authentication_token
      end
  end

  def skip_confirmation!
      self.confirmed_at = Time.now
  end

  private

  def generate_authentication_token
      loop do
          token = Devise.friendly_token
          break token unless User.where(authentication_token: token).first
      end
  end
end

routes.rb

Ihome::Application.routes.draw do
  get "welcome/index"
  devise_for :users

  root 'welcome#index'

  namespace :api do
    namespace :v1 do
      devise_scope :user do
        post 'sessions' => 'sessions#create', :as => 'login'
        delete 'sessions' => 'sessions#destroy', :as => 'logout'
      end
    end
  end
end

Wiecie może co jest powodem, że ten DELETE mi się sypie ? Przeanalizowałem cały kod i nigdzie nie mogę dostrzec nic szczególnego, a to bardzo ważne i pilne dla mnie. Proszę o pomoc