do not use devise strategy for api auth

2 years ago · 94a13ffca2
parent 64c8707957
commit 94a13ffca2
3 changed files with 12 additions and 24 deletions
--- a/app/controllers/api/api_base_controller.rb
+++ b/app/controllers/api/api_base_controller.rb
@ -33,6 +33,17 @@ module Api
      result
    end

+    def authenticate_user!
+      @current_user ||=
+        if request.headers['X-Auth-Token'].present?
+          sha256 = Digest::SHA256.hexdigest(request.headers['X-Auth-Token'])
+
+          User.joins(:access_token).find_by(access_token: { sha256: })
+        end
+
+      render json: { error: 'Not authenticated' }, status: :unauthorized unless current_user
+    end
+
    def current_account
      current_user&.account
    end
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@ -1,9 +1,5 @@
 # frozen_string_literal: true

-require_relative '../../lib/auth_with_token_strategy'
-
-Warden::Strategies.add(:auth_token, AuthWithTokenStrategy)
-
 Devise.otp_allowed_drift = 60.seconds

 # Assuming you have not yet modified this file, each configuration option below
@ -279,7 +275,7 @@ Devise.setup do |config|
  #
  config.warden do |manager|
    # manager.intercept_401 = false
-    manager.default_strategies(scope: :user).unshift(:auth_token)
+    # manager.default_strategies(scope: :user).unshift(:auth_token)
  end

  # ==> Mountable engine configurations
--- a/lib/auth_with_token_strategy.rb
+++ b/lib/auth_with_token_strategy.rb
@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-class AuthWithTokenStrategy < Devise::Strategies::Base
-  def valid?
-    request.headers['X-Auth-Token'].present?
-  end
-
-  def authenticate!
-    sha256 = Digest::SHA256.hexdigest(request.headers['X-Auth-Token'])
-
-    user = User.joins(:access_token).find_by(access_token: { sha256: })
-
-    if user
-      success!(user)
-    else
-      fail!('Invalid token')
-    end
-  end
-end