0

I have this following controller for my application:

class Api::BaseApiController< ApplicationController
  before_action :parse_request, :authenticate_member_from_token!

  def index
    render nothing: true, status: 200
  end

  protected
    def authenticate_member_from_token!
      if !request.headers[:escambo_token]
        @member = Member.find_by_valid_token(:activate, request.headers['escambo_token'])
        if !@member
          render nothing: true, status: :unauthorized
        end
      end
    end

Then, I have another controller that inherits from that Controller:

class Api::CategoryController < Api::BaseApiController
  before_action :find_category, except: [:index]

  def index
    @category = Category.all
    puts(@category)
    render json: @category
  end

But the controller is allowing requests without the token.

EDIT 1: for some reason the index action started to working normally. But still not doing the validation for the token.

EDIT 2: fixing method from private to protected

Improve this question
13
  • @SergioTulentsev already fixed! Thanks. Commented Apr 4, 2018 at 17:11
  • are you sure it's going through the correct methods? you can put breapoints in there to ensure they're being called Commented Apr 4, 2018 at 17:11
  • @maxpleaner I edited the question again. Commented Apr 4, 2018 at 17:14
  • @olegario: so you're saying it doesn't enter authenticate_member_from_token!? How do you know? Does it enter parse_request? Commented Apr 4, 2018 at 17:15
  • 1
    If authenticate_member_from_token! isn't being called, then there's something crucial missing from your code above. I see no reason why it wouldn't be called. Commented Apr 4, 2018 at 17:16

1 Answer 1

Reset to default
1

Your code needs to render :unauthorized if the token is missing, OR invalid. In other words, you need the code to be along the lines of:

def authenticate_member_from_token!
  unless Member.find_by_valid_token(:activate, request.headers['escambo_token'])
    render nothing: true, status: :unauthorized
  end
end

However, with this code you may find yourself double-rendering in the controller. A cleaner approach could be to instead raise an exception, then rescue from it and render appropriately - e.g.

EscamboTokenInvalid = Class.new(StandardError)
rescue_from EscamboTokenInvalid, with: :escambo_unauthorized

def authenticate_member_from_token!
  unless Member.find_by_valid_token(:activate, request.headers['escambo_token'])
    raise EscamboTokenInvalid
  end
end

def escambo_unauthorized
  render nothing: true, status: :unauthorized
end
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

No double-rendering here. If before_action renders (or redirects), action is not performed.
Ah, fair enough. The quirks of rails..... Still, it's common practice to raise an exception so custom handling can be given as desired.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.