个人中心
gpt4 book ai didi

ruby-on-rails - JWT 如何注销

转载 作者:行者123 更新时间:2023-12-01 22:19:01 26 4
gpt4 key购买 nike

  • ruby 2.2.4
  • Rails 4.1.8
  • 设计3.4.1

大家好,我遵循了一个教程 ( https://github.com/jimjeffers/rails-devise-cors-jwt-example ),该教程在通过 JSON 进行远程身份验证时覆盖 Devise 以传递 JWT。不过我想通过注销功能来改进这个应用程序。但我该怎么做呢?实际上,使用教程中的这段代码,一旦我成功通过身份验证,我就无法注销或再次注册:

 You are already signed in.

    Welcome#index

    Find me in app/views/welcome/index.html.erb

问题是,我该怎么做?我如何实现用户可以注销或重新注册?

下面是部分代码:registrations_controller.rb

class Users::RegistrationsController < Devise::RegistrationsController
  # Disable CSRF protection
  skip_before_action :verify_authenticity_token

  # Be sure to enable JSON.
  respond_to :html, :json
end

session_controller.rb

# This is an example of how to extend the devise sessions controller
# to support JSON based authentication and issuing a JWT.
class Users::SessionsController < Devise::SessionsController
  # Require our abstraction for encoding/deconding JWT.
  require 'auth_token'


  # Disable CSRF protection
  skip_before_action :verify_authenticity_token

  # Be sure to enable JSON.
  respond_to :html, :json

  # POST /resource/sign_in
  def create

    # This is the default behavior from devise - view the sessions controller source:
    # https://github.com/plataformatec/devise/blob/master/app/controllers/devise/sessions_controller.rb#L16
    self.resource = warden.authenticate!(auth_options)
    set_flash_message(:notice, :signed_in) if is_flashing_format?
    sign_in(resource_name, resource)
    yield resource if block_given?

    # Here we're deviating from the standard behavior by issuing our JWT
    # to any JS based client.
    token = AuthToken.issue_token({ user_id: resource.id })
    respond_to do |format|
      format.json { render json: {user: resource.email, token: token} }
    end

    # The default behavior would have been to simply fire respond_with:
    # respond_with resource, location: after_sign_in_path_for(resource)
  end
end

api_controller.rb

class ApiController < ApplicationController
  # No action on this controller is accessible without a
  # supplying a valid token.
  before_filter :verify_jwt_token

  def test
    respond_to do |format|
      format.json { render json: {'sample' => 'data'}}
    end
  end
end

application_controller.rb

class ApplicationController < ActionController::Base
  # We depend on our auth_token module here.
  require 'auth_token'
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  # protect_from_forgery with: :null_session
  protected
    ##
    # This method can be used as a before filter to protect
    # any actions by ensuring the request is transmitting a
    # valid JWT.
    def verify_jwt_token
      head :unauthorized if request.headers['Authorization'].nil? ||
          !AuthToken.valid?(request.headers['Authorization'].split(' ').last)
    end
end

models/user.rb

class User < ActiveRecord::Base
  # Include default devise modules. Others available are:
  # :confirmable, :lockable, :timeoutable and :omniauthable
  devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable
end

routes.rb

Rails.application.routes.draw do
  devise_for :users, controllers: {
    sessions: 'users/sessions',
    registrations: 'users/registrations'
  }
  get '/api/test', to: 'api#test'
  root 'welcome#index'
end

lib/auth_token.rb

require 'jwt'

module AuthToken
  def AuthToken.issue_token(payload)
    payload['exp'] = 24.hours.from_now.to_i # Set expiration to 24 hours.
    JWT.encode(payload, Rails.application.secrets.secret_key_base)
  end

  def AuthToken.valid?(token)
    begin
      JWT.decode(token, Rails.application.secrets.secret_key_base)
    rescue
      false
    end
  end
end

任何想法或建议都会对我很有帮助。我为这个问题苦苦挣扎了很多天

更新:这是我的 Android 应用程序界面,我如何实现删除功能? 

public interface Interface {

    //This method is used for "POST"
    @FormUrlEncoded

    @POST("/")
    void postData(@Field("method") String method,
                  @Field("email") String username,
                  @Field("password") String password,
                  Callback<ServerResponse> serverResponseCallback);
}

最佳答案

正如 Florent 所说,在客户端,您只需删除 token (将其从 SharedPreferences 或用于存储当前 token 的任何其他持久存储中删除),而对于服务器端,您有以下几个选项:最好还好。

刷新 token :最好的选择,您可以阅读 here 。本质上,您有两种 token :访问 token 和刷新 token 。刷新 token 用于在访问 token 过期后对其进行更新。例如,在当前 24 小时的方法中,用户需要每天登录。但是,如果您注销,则会删除客户端中的两个 token ,并且访问 token 最终将永久过期。

重新发行代币:这是之前版本的更简单、更幼稚的版本。添加重新颁发 token 功能,让您可以更新当前 token (再次在代码中调用 AuthToken.issue_token)。您的客户端可以在当前 token 到期之前的某个时间调用它。

黑名单 token :在这种情况下,您需要将以前使用的 token 存储在数据库中,这有点违背了目的,因为您必须不断地针对数据库进行验证,而不仅仅是解码。

关于ruby-on-rails - JWT 如何注销,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/39352862/

26 4 0
文章推荐: full-text-search - 使用 Lucene/Solr 进行类似 Digg 的搜索结果排名?
文章推荐: java - 如何在两个jsp之间发送数据?
文章推荐: Coldfusion 将 onRequestEnd() 与 Application.cfm 文件结合使用
文章推荐: java - jsp转java代码后乱码如何解决
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com