Rails e Post Method

17 views
Skip to first unread message

Ronald Rails

unread,
Feb 15, 2011, 3:00:36 PM2/15/11
to restfulie
Hi all!

When I run this command:

curl -i -H "Content-type: application/json" -d "{ ’item’ :{’name’ :
’REST is not cute URIs book’, ’price’ : 100 } }" "http://localhost:
3000/items"

Should'nt Rails reject the request because the security token is not
in the request? How does this works?

Guilherme Silveira

unread,
Feb 15, 2011, 3:20:46 PM2/15/11
to rest...@googlegroups.com
Hi there,

You are right, if you keep on the security token, Rails will complain
about it and not allow your resources to be accessed.
So in order to create services that are supposed to be accessed by
anyone at anytime, the security token must be disactivated.

If you need to restrain access to a resource operation, REST
authentication and authorization is usually not done through (Rails
specific) security token. Devs will usually pick OAuth... there is
still a token in place but its a more well known approach.

What do you think?

Regards

Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/

Ronald Rails

unread,
Feb 15, 2011, 3:32:21 PM2/15/11
to restfulie
Hi Guilherme!

I thought that Restfulie did some monkey path in order Rails allow
requests without security token, But I made a test with an application
wihout Restfulie, and when I post some data using Curl, the resources
are created. Do you know why this happen?

Now a days, OAuth is the best way to implement authentication and
authorization when we are using REST ?

Thanks!



On 15 fev, 18:20, Guilherme Silveira
<guilherme.silve...@caelum.com.br> wrote:
> Hi there,
>
> You are right, if you keep on the security token, Rails will complain
> about it and not allow your resources to be accessed.
> So in order to create services that are supposed to be accessed by
> anyone at anytime, the security token must be disactivated.
>
> If you need to restrain access to a resource operation, REST
> authentication and authorization is usually not done through (Rails
> specific) security token. Devs will usually pick OAuth... there is
> still a token in place but its a more well known approach.
>
> What do you think?
>
> Regards
>
> Guilherme Silveira
> Caelum | Ensino e Inovaçãohttp://www.caelum.com.br/

Guilherme Silveira

unread,
Feb 16, 2011, 9:27:42 AM2/16/11
to rest...@googlegroups.com, Ronald Rails
Hi Ronald,

I don't know about the curl, I believe it should not work on Rails
defaults. Can you try the following?

rails new test
cd test
rails g scaffold product
rake db:migrate
rails s &
sleep 5
curl http://localhost:3000/products -d "a=b"

Yes, most of the time we are using http authentication, oauth and
https. When using OAuth, you either implement your own OAuth provider
and satellite systems or just the satellite system connecting to the
provider you want to support (such as Twitter).

Do you need to do it in your current project?

Regards


Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/

Ronald Rails

unread,
Feb 18, 2011, 8:41:19 AM2/18/11
to restfulie
Hi Guilherme,

I did you test and Rails insert a register when I execute Curl.
I got: AREL (0.3ms) INSERT INTO "products" ("created_at",
"updated_at") VALUES ('2011-02-18 13:37:50.126481', '2011-02-18
13:37:50.126481')

Do you know why this happen?

About authentication, i dont need to implement OAuth yet.





On Feb 16, 12:27 pm, Guilherme Silveira
<guilherme.silve...@caelum.com.br> wrote:
> Hi Ronald,
>
> I don't know about the curl, I believe it should not work on Rails
> defaults. Can you try the following?
>
> rails new test
> cd test
> rails g scaffold product
> rake db:migrate
> rails s &
> sleep 5
> curlhttp://localhost:3000/products-d "a=b"
>
> Yes, most of the time we are using http authentication, oauth and
> https. When using OAuth, you either implement your own OAuth provider
> and satellite systems or just the satellite system connecting to the
> provider you want to support (such as Twitter).
>
> Do you need to do it in your current project?
>
> Regards
>
> Guilherme Silveira
> Caelum | Ensino e Inovaçãohttp://www.caelum.com.br/
>

Guilherme Silveira

unread,
Feb 18, 2011, 10:17:59 AM2/18/11
to restfulie
Hi Ronald,

Now thats weird! :)
Ok, gem versions maybe?

I've got
rails (3.0.3, 3.0.0)

Which one are you using? Ill install the same one and try again

Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/

Ronald Rails

unread,
Feb 21, 2011, 9:06:31 AM2/21/11
to restfulie
Hi Guilherme,

I try again, and got the same. I did this steps:

rails new curl
cd curl
rails g scaffold Post title:string
rake db:migrate
rails s
>> Open a new window
curl -i -H "Content-type: application/json" -d "{ ’post’ :{’title’ :
’REST is not cute URIs book’} }" "http://localhost:3000/posts"

In my log I got:

HTTP/1.1 302 Found
X-Ua-Compatible: IE=Edge
Location: http://localhost:3000/posts/1
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Date: Mon, 21 Feb 2011 13:59:59 GMT
Server: WEBrick/1.3.1 (Ruby/1.8.7/2010-01-10)
X-Runtime: 0.256795
Content-Length: 95
Cache-Control: no-cache
Set-Cookie:
_curl2_session=BAh7ByIPc2Vzc2lvbl9pZCIlZWY2ZGRmMGU3NTVmNWY0NWQ3MDRiYjFhMWJiODMzYTAiCmZsYXNoSUM6JUFjdGlvbkRpc3BhdGNoOjpGbGFzaDo6Rmxhc2hIYXNoewY6C25vdGljZSIjUG9zdCB3YXMgc3VjY2Vzc2Z1bGx5IGNyZWF0ZWQuBjoKQHVzZWRvOghTZXQGOgpAaGFzaHsA--
f385ab0ccb3eadbdb2a48ad12db041528506da5b; path=/; HttpOnly

<html><body>You are being <a href="http://localhost:3000/posts/
1">redirected</a>.</body></html>ricardoalmeida ruby-1.8.7 /home/
rinaldi/testes/rails/curl2$


I am using Rails 3.0.3.







On 18 fev, 12:17, Guilherme Silveira
<guilherme.silve...@caelum.com.br> wrote:
> Hi Ronald,
>
> Now thats weird! :)
> Ok, gem versions maybe?
>
> I've got
> rails (3.0.3, 3.0.0)
>
> Which one are you using? Ill install the same one and try again
>
> Guilherme Silveira
> Caelum | Ensino e Inovaçãohttp://www.caelum.com.br/

George Guimarães

unread,
Feb 21, 2011, 12:33:46 PM2/21/11
to rest...@googlegroups.com
Rails by default does not protect API requests, just HTML and javascript requests.

So, a request using 'application/json' will not be protect by default.

Guilherme Silveira

unread,
Feb 21, 2011, 2:20:41 PM2/21/11
to rest...@googlegroups.com, George Guimarães
Hi George,

I did not see where it makes the difference between API request/simple
request, I probably looked on the wrong method:

# Returns true or false if a request is verified. Checks:
#
# * is it a GET request? Gets should be safe and idempotent
# * Does the form_authenticity_token match the given token value
from the params?
# * Does the X-CSRF-Token header match the form_authenticity_token
def verified_request?
!protect_against_forgery? || request.get? ||
form_authenticity_token == params[request_forgery_protection_token] ||
form_authenticity_token == request.headers['X-CSRF-Token']
end

Is this the one?

Regards

Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/

2011/2/21 George Guimarães <george.g...@gmail.com>:

Ronald Rails

unread,
Feb 23, 2011, 11:28:32 AM2/23/11
to restfulie
In the comments I saw:

"Turn on request forgery protection. Bear in mind that only non-GET,
HTML/JavaScript requests are checked."

But I didnt see where exactly this is implemented.

But thanks a lot Guilherme and George!





On 21 fev, 16:20, Guilherme Silveira
<guilherme.silve...@caelum.com.br> wrote:
> Hi George,
>
> I did not see where it makes the difference between API request/simple
> request, I probably looked on the wrong method:
>
>       # Returns true or false if a request is verified.  Checks:
>       #
>       # * is it a GET request?  Gets should be safe and idempotent
>       # * Does the form_authenticity_token match the given token value
> from the params?
>       # * Does the X-CSRF-Token header match the form_authenticity_token
>       def verified_request?
>         !protect_against_forgery? || request.get? ||
>           form_authenticity_token == params[request_forgery_protection_token] ||
>           form_authenticity_token == request.headers['X-CSRF-Token']
>       end
>
> Is this the one?
>
> Regards
>
> Guilherme Silveira
> Caelum | Ensino e Inovaçãohttp://www.caelum.com.br/
>
> 2011/2/21 George Guimarães <george.guimar...@gmail.com>:
>
> > Rails by default does not protect API requests, just HTML and javascript
> > requests.
> > So, a request using 'application/json' will not be protect by default.
> >https://github.com/rails/rails/blob/v3.0.4/actionpack/lib/action_cont...
>
> > ---
> > George Guimarães
> > Plataforma Tecnologia
> >http://plataformatec.com.br
>

Guilherme Silveira

unread,
Mar 1, 2011, 7:11:40 PM3/1/11
to rest...@googlegroups.com, Ronald Rails
Hi guys,

I was through another feature and came across the jquery plugin. They
use the a helper method to include the forgery protection tags, I
believe thats why they mention "javascript calls" as safe. Not that
anyone can make that call, but anyone who is using the rails 3 helper
(= only if you, yourself is doing the request within your server?).

Regards

Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/

Reply all
Reply to author
Forward
0 new messages