backbone.js - What is the best way to user authentication with Devise 3 and Backbone? -


i'm working stack:

  • core api restful rails 4 , devise 3.2
  • another app/stance backbone

i have read many articles, manuals, stackoverflow topics, google random results, blogs, etc, deprecated.

using practical approach (tl;dr here) need real session between devise 3 , backbone in different server stances , holding it, 2 separate projects. remote login, know.

i'm stuck appreciate suggestions.

thank guys.

personally have same situation in project angular instead of backbone front-end , rails 4 api devise. try sum things in assumption got question right.

to work correctly sessions in scenario need sure that:

  • browsers handle communication correctly (i.e. don't mess data because requests not comply cors policies)
  • and, requests through rails csrf protection

please, read this article cors. if not familiar cors article should provide necessary background answer. info csrf protection here

here scenario step-by-step:

  1. backbone.js sends get request such http://yourserver/signin
  2. rails server sends session cookie stored in browser , csrf token, can stored somewhere within backbone application.
  3. backbone.js sends post request user credentials (name, password) , csrf token in headers , current unauthorized session in cookies. crucial request contains session information. otherwise granted different csrf token on rails side , warning: can't verify csrf token authenticity message.
  4. backbone.js gets authorized session if credentials correct.

here can done working:

  1. rails backend should respond correctly requests front-end. means should:

    • respond options requests (preflight requests)
    • send correct cors headers
    • able communicate csrf token front-end

  2. front end should:

    • able send requests credentials
    • obtain , use correct csrf token

the simplest way teach rails back-end respond cors requests use rack-cors gem. provide correct cors headers.

config.middleware.insert_before warden::manager, rack::cors   allow     origins '*' # it's highly recommended specify correct origin     resource '*',          :headers => :any,          :methods => [:get, :post, :options], # 'options' important                                              # preflight requests         :expose  => ['x-csrf-token']   #allows usage of token on front-end   end end

last thing on backend side provide csrf token. custom devise controller should handle task perfectly.

class sessionscontroller < devise::sessionscontroller      after_action :set_csrf_header, only: [:new, :create, :destroy]      #...      protected      def set_csrf_header       response.headers['x-csrf-token'] = form_authenticity_token     end end

note need csrf token when send first get request (new), when submit credentials through post request (create) , when sign out of application sending delete request (destroy). if don't send csrf token on sign out won't able sign in without reloading page.

and somewhere in config/routes.rb don't forget specify using custom controller:

/config/routes.rb   devise_for :users, :controllers => {:sessions => "sessions"}

now, front-end. please, have @ this script overrides standard backbone.sync , handles communication rails server. couple of corrections needed:

  beforesend: function( xhr ) {     if (!options.nocsrf) {       // dont have csrf-token in document anymore         //var token = $('meta[name="csrf-token"]').attr('content');        // new line #1       // csrf token application.       // see below how gets there.       var token = yourappname.csrftoken;        if (token) xhr.setrequestheader('x-csrf-token', token);          // new line #2       // include session information in requests       xhr.withcredentials = true;     }    //..some code omitted   //................    // trigger sync end event   var complete = options.complete;   params.complete = function(jqxhr, textstatus) {      // new lines #3,4      // if response includes csrf token need remember      var token = jqxhr.getresponseheader('x-csrf-token')       if (token) yourappname.csrftoken = token;       model.trigger('sync:end');      if (complete) complete(jqxhr, textstatus);   };  }

i'm not sure qualifies complete answer question, @ least start from. might not best way, way. let me know if have questions.


-

Comments

Post a Comment

Popular posts from this blog

html - Sizing a high-res image (~8MB) to display entirely in a small div (circular, diameter 100px) -

first of all, thank being patient know simple question more couple of weeks' experience figure out. i've seen folks persevere , helpful on here , hope you're willing me. here fiddle: http://jsfiddle.net/65uzf/ here 1 of places searched answers on here: ( vertically center image thumbnails fix-sized div ) tried solutions on there , didn't work out me. i've searched ~4 or 5 others, , been unsuccessful those, too. what want take large image (what linked background-image #ysypic , #tabpic divs) , display thumbnail version of image in confines of divs have set it. is, using background properties have laid out in css, portion of image displays inside of circular divs. without these properties, display defaults smaller section of image [presumably pi*(50^2) area in top left] terrible resolution. i not care if entire image doesn't display inside of circles (it won't, given difference in shape), , overflow not being displayed fine. want able see figu
Read more

java - IntelliJ - No such instance method -

using intellij's 12 ultimate, i'm running following code in debugger: java import play.api.libs.json.jsvalue; public class foo { ... public jsvalue tojson() { ... } public class fooexample { ... foo foo = new foo(); system.out.println("...); //<-- breakpoint at breakpoint, right-clicked source code , picked "evaluate expression," typing in: foo.tojson() . but following error showed up: no such instance method: play.api.libs.json.jsvalue$class.com.foo.foo.tojson () am doing wrong? foo#tojson calls scala code, if matters. edit had breakpoint after instantiation of foo. downvoted it, deserved it. edit my answer no longer valid after op modified question (i.e. moved breakpoint actual is).. a breakpoint hit before line executed. in case foo has not yet been declared or instantiated (i.e. foo constructor has not yet been called). you'll need put breakpoint @ next line (or step on current line) if want evaluate foo .
Read more

identifier - Is it possible for an html5 document to have two ids? -

i wondering if html5 element can have 2 ids, this: <button id="thing1" id="thing2" name="button1" onclick="change()">click here</button> or this: <button id="thing1, thing2" name="button1" onclick="change()">click here</button> also, if 1 of ids said 1 thing, , other id said thing, 1 used? tl;dr : no. in versions of html, each element can have 1 id. see the spec : the id attribute specifies element's unique identifier (id). [dom] the value must unique amongst ids in element's home subtree , must contain @ least 1 character. the value must not contain space characters. note: there no other restrictions on form id can take; in particular, ids can consist of digits, start digit, start underscore, consist of punctuation , etc. note: element's unique identifier can used variety of purposes, notably way link specific parts of document usin
Read more