03
Jan 12

Simple behind-the-scenes API authentication with OAuth2

Like many others I’ve been spending a lot of time with OAuth2 lately. The single-sign-on system we’ve built at GDS acts as a very simple oauth provider for our other apps (effectively just joining up the oauth2-provider and devise gems), and we’re probably going to be extending our API adapter code so that we can use it for those apps whose APIs need authentication.

What I’d not explored for a while was the simplest way to implement app-to-app oauth where there’s no UI for user interaction so over the New Year break I pulled something together for another project. It’s all pretty straightforward but not very well documented so I thought I’d better share.

The easiest thing to do if you want to allow an oauth client to work with your app is just to generate the ID, secret and access token for whoever’s responsible for the app and to provide them (securely) for direct use.

In order to do that in the rails app I was focussed on I knocked up a class to help me with that when using the aforementioned oauth2-provider:

and then a few rake tasks for interacting with it:

In the oauth-provider world, any “authorization” can be owned by a resource, which is any other model in your app. In a standard app like our SSO solution that’ll probably be a user, but in the app I’m working on here it’s an organisation that may have many users. You get access to that resource in your controllers with, eg:

And with that I had my API protected using everyone’s favourite standard authentication protocol.


07
Jan 11

Adding actions to Devise controllers

Adding Actions to Devise Controllers

It wasn’t the most fun I could imagine having during a “holiday season” but while holed up in Chicagoland over Christmas I spent a couple of days porting a few of my older Rails apps to use a more up to date stack: Rails 3, Devise, Inherited Resources, Formtastic, etc. The idea is that if the apps are on a stack I use every day, I’ll spend less of my time reloading old tools into my head when the inevitable tweaks are required. We’ll see how that goes.

Anyway…

Two of the apps I was working on include member profile pages. Having carefully chosen my devise model names to match the language of my app I wanted to use the same controller that’s used for registrations for other member actions. Initially I tried just extending the relevant controller and updating the route:

config/routes.rb

  devise_for :members, :controllers => { :registrations => "members" }

app/controllers/members_controller.rb

class MembersController < Devise::RegistrationsController
  def show
    ...
  end
end

but I kept getting ActionController::UnknownAction exceptions when I tried to request a member profile page.

It turns out that Devise runs a before_filter called is_devise_resource? in its controllers and that wasn’t recognising any actions that aren’t included in the core devise controllers. It also runs authenticate_scope! for relevant actions.

With that discovered it was easy enough to update my controller to

class MembersController  [:index, :show, :edit, :update]
  skip_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]

  def show
    ...
  end
end

and everything fell into place.


10
May 10

Ninja Tune XX

Ninja XX Logo

Its been twenty years since Coldcut formed Ninja Tune and they’ve got a lot planned to celebrate that anniversary. There’ll be events, a very special box set, and… a website featuring exclusive giveaways every week for the next twenty weeks. Ninja Tune XX launched at 4pm today.

This is the rush job I’ve referred to in recent weeknotes, and it feels great to have it launched. It’s already attracting quite a bit of traffic and seems to be holding up well sitting on a little dreamhost private server (we needed cheap access to a lot of bandwidth). Under the hood it’s a Rails 3 app talking to MongoDB via mongoid. We’re using devise for authentication, formtastic for forms and InheritedResources to keep controller code to a minimum.

One of the very pleasing things has been how little there is to say about that stack, with the exception of one issue around multiparameter attributes in mongoid it’s all just worked. How nice.