I''m trying to get my head round offering up an API for a RESTful app; is it just a matter of; 1. adding an api_key column to the resource on which incoming requests will made (the app has a User model but I think the API authentication will need to be done on the Site model to which Users belong), 2. generating the API key using Digest::SHA1 or similar (the last dev used SHA1 for the passwords), 3. authenticating via API keys in a filter (perhaps something along the lines of option 2 here http://www.whatcodecraves.com/articles/2008/11/25/how_to_make_an_api_for_a_rails_app/). Unfortunately, the authentication lib is custom (I would much prefer to be working with one of the community adopted plugins such as Authlogic, which appears to have API key authentication anyway). Am I missing anything or does that sound like a reasonable starting point? -- Posted via http://www.ruby-forum.com/.
If your site is like most, API keys are handed out to users. So it would probably be best to just store the key on the user model, and then do a User.find_by_api_key(..etc...) in your before_filter. --Matt Jones On May 30, 6:02 am, Neil Cauldwell <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> I''m trying to get my head round offering up an API for a RESTful app; is > it just a matter of; > > 1. adding an api_key column to the resource on which incoming requests > will made (the app has a User model but I think the API authentication > will need to be done on the Site model to which Users belong), > > 2. generating the API key using Digest::SHA1 or similar (the last dev > used SHA1 for the passwords), > > 3. authenticating via API keys in a filter (perhaps something along the > lines of option 2 herehttp://www.whatcodecraves.com/articles/2008/11/25/how_to_make_an_api_...). > > Unfortunately, the authentication lib is custom (I would much prefer to > be working with one of the community adopted plugins such as Authlogic, > which appears to have API key authentication anyway). > > Am I missing anything or does that sound like a reasonable starting > point? > -- > Posted viahttp://www.ruby-forum.com/.
Matt Jones wrote:> If your site is like most, API keys are handed out to users. So it > would probably be best to just store the key on the user model, and > then do a User.find_by_api_key(..etc...) in your before_filter. > > --Matt Jones > > > On May 30, 6:02�am, Neil Cauldwell <rails-mailing-l...@andreas-s.net>Thanks Matt I was coming to the conclusion that all apps are authorizing API keys per user, rather than per business or account, as I was thinking of doing in this instance. The main reason for the original line of thought is that this application charges for usage per ''Site'' (it''s a bit like you might expect a ''Business'' or ''Account'' model to work) and I''ve been reading that the main reason for API keys is that can be used to monitor usage - and if I''m monitoring usage, I''m probably going to do it on a per-Site model basis. Here''s a tutorial on how to add the API keys to restful-authentication, in case any fellow new newbies stumble across this thread; http://www.compulsivoco.com/2009/05/rails-api-authentication-using-restful-authentication/ -- Posted via http://www.ruby-forum.com/.