Q: Using acts_as_token_authentication_handler_for in the base controller: how do I create exceptions? (R: :only/:except options are supported)

[lfglopes]

Using the devise way I can do

skip_before_filter :authenticate_user!, :except => [:update, :you_have_to_be_logged, :yadayada]

But if I put acts_as_token_authentication_handler_for on my base controller these "skip" operations have no effect and all my app becomes locked. How do I override these?

[lfglopes]

So I've commented out this line and now I can use :authenticate_whatever at my own will through the controllers.

But thinking that this use-case does not apply to anyone else makes me think what I'm doing wrong...

[bryanaka]

@lfglopes unfortunately, this is because the actual filter getting registered is the authenticate_entity! method and not the authenticate_user! method. The former calls the latter.

@gonzalo-bulnes I'm curious to why you do not allow the user to be responsible for injecting these filters? This behavior forces an opt-out instead of opt-in behavior, which isn't expected coming from devise.

[gonzalo-bulnes]

Hello @lfglopes,

Instead of adding acts_as_token_authentication_hander_for :model to your base controller, you can add it specifically to the controllers which require it. (Several controllers can be token authentication handlers for a given model.) Once that done, you should be able to skip the Devise authentication step where necessary. Depending on the authentication behaviour you want to create that could permit you to avoid the issue; or might not be enough. Is this of any help?

[gonzalo-bulnes]

The pull-request #61 addresses two issues which were present in this question/discussion:

1. the possibility to create excpetions when using acts_as_token_authentication_handler_for Model
2. the possibility to specifically skip the Devise authentication fallback

Since the second topic was discussed in #49 (and will be solved soon thanks to #61), I suggest we focus this issue topic on the first point: the possibility to create exceptions when using acts_as_token_authentication_handler_for Model.

A possible implementation was submitted by @donbobka in #61, which, I think, could be improved.

Comments would be welcome about which syntax (for usage) you would expect the option to have!

[donbobka]

I propose replace parameter :before_filter in my PR to parameters :only/:except

Possible usages:

# Only specified actions
acts_as_token_authentication_handler_for User, only: [:actions, :with, :token, :auth]
# All actions except specified actions
acts_as_token_authentication_handler_for User, except: [:actions, :without, :token, :auth]
# Manual mode
acts_as_token_authentication_handler_for User, only: :none
before_filter :authenticate_entity_from_token!, only: [:actions, :with, :token, :auth]

[gonzalo-bulnes]

Hi @donbobka,

Yes, I think that's a much better syntax. I like the only: :none option, yet have you some specific scenario in mind where it must be used?

[donbobka]

only: :none and except: :all it's a standard logic of only/except parameters for before_filter

PR #62