Rails e Post Method
Ronald Rails
When I run this command:
curl -i -H "Content-type: application/json" -d "{ ’item’ :{’name’ :
’REST is not cute URIs book’, ’price’ : 100 } }" "http://localhost:
3000/items"
Should'nt Rails reject the request because the security token is not
in the request? How does this works?
Guilherme Silveira
You are right, if you keep on the security token, Rails will complain
about it and not allow your resources to be accessed.
So in order to create services that are supposed to be accessed by
anyone at anytime, the security token must be disactivated.
If you need to restrain access to a resource operation, REST
authentication and authorization is usually not done through (Rails
specific) security token. Devs will usually pick OAuth... there is
still a token in place but its a more well known approach.
What do you think?
Regards
Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/
Ronald Rails
I thought that Restfulie did some monkey path in order Rails allow
requests without security token, But I made a test with an application
wihout Restfulie, and when I post some data using Curl, the resources
are created. Do you know why this happen?
Now a days, OAuth is the best way to implement authentication and
authorization when we are using REST ?
Thanks!
On 15 fev, 18:20, Guilherme Silveira
> Hi there,
>
> You are right, if you keep on the security token, Rails will complain
> about it and not allow your resources to be accessed.
> So in order to create services that are supposed to be accessed by
> anyone at anytime, the security token must be disactivated.
>
> If you need to restrain access to a resource operation, REST
> authentication and authorization is usually not done through (Rails
> specific) security token. Devs will usually pick OAuth... there is
> still a token in place but its a more well known approach.
>
> What do you think?
>
> Regards
>
> Guilherme Silveira
Guilherme Silveira
I don't know about the curl, I believe it should not work on Rails
defaults. Can you try the following?
rails new test
cd test
rails g scaffold product
rake db:migrate
rails s &
sleep 5
curl http://localhost:3000/products -d "a=b"
Yes, most of the time we are using http authentication, oauth and
https. When using OAuth, you either implement your own OAuth provider
and satellite systems or just the satellite system connecting to the
provider you want to support (such as Twitter).
Do you need to do it in your current project?
Regards
Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/
Ronald Rails
I did you test and Rails insert a register when I execute Curl.
I got: AREL (0.3ms) INSERT INTO "products" ("created_at",
"updated_at") VALUES ('2011-02-18 13:37:50.126481', '2011-02-18
13:37:50.126481')
Do you know why this happen?
On Feb 16, 12:27 pm, Guilherme Silveira
> Hi Ronald,
>
> I don't know about the curl, I believe it should not work on Rails
> defaults. Can you try the following?
>
> rails new test
> cd test
> rails g scaffold product
> rake db:migrate
> rails s &
> sleep 5
> Yes, most of the time we are using http authentication, oauth and
> https. When using OAuth, you either implement your own OAuth provider
> and satellite systems or just the satellite system connecting to the
> provider you want to support (such as Twitter).
>
> Do you need to do it in your current project?
>
> Regards
>
> Guilherme Silveira
Guilherme Silveira
Now thats weird! :)
Ok, gem versions maybe?
I've got
rails (3.0.3, 3.0.0)
Which one are you using? Ill install the same one and try again
Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/
Ronald Rails
I try again, and got the same. I did this steps:
rails new curl
cd curl
rails g scaffold Post title:string
rails s
curl -i -H "Content-type: application/json" -d "{ ’post’ :{’title’ :
’REST is not cute URIs book’} }" "http://localhost:3000/posts"
In my log I got:
HTTP/1.1 302 Found
X-Ua-Compatible: IE=Edge
Location: http://localhost:3000/posts/1
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Date: Mon, 21 Feb 2011 13:59:59 GMT
Server: WEBrick/1.3.1 (Ruby/1.8.7/2010-01-10)
X-Runtime: 0.256795
Content-Length: 95
Cache-Control: no-cache
Set-Cookie:
_curl2_session=BAh7ByIPc2Vzc2lvbl9pZCIlZWY2ZGRmMGU3NTVmNWY0NWQ3MDRiYjFhMWJiODMzYTAiCmZsYXNoSUM6JUFjdGlvbkRpc3BhdGNoOjpGbGFzaDo6Rmxhc2hIYXNoewY6C25vdGljZSIjUG9zdCB3YXMgc3VjY2Vzc2Z1bGx5IGNyZWF0ZWQuBjoKQHVzZWRvOghTZXQGOgpAaGFzaHsA--
f385ab0ccb3eadbdb2a48ad12db041528506da5b; path=/; HttpOnly
<html><body>You are being <a href="http://localhost:3000/posts/
1">redirected</a>.</body></html>ricardoalmeida ruby-1.8.7 /home/
rinaldi/testes/rails/curl2$
I am using Rails 3.0.3.
On 18 fev, 12:17, Guilherme Silveira
<guilherme.silve...@caelum.com.br> wrote:
> Hi Ronald,
>
> Ok, gem versions maybe?
>
> I've got
> rails (3.0.3, 3.0.0)
>
> Which one are you using? Ill install the same one and try again
>
> Guilherme Silveira
George Guimarães
Guilherme Silveira
I did not see where it makes the difference between API request/simple
request, I probably looked on the wrong method:
# Returns true or false if a request is verified. Checks:
#
# * is it a GET request? Gets should be safe and idempotent
# * Does the form_authenticity_token match the given token value
from the params?
# * Does the X-CSRF-Token header match the form_authenticity_token
def verified_request?
!protect_against_forgery? || request.get? ||
form_authenticity_token == params[request_forgery_protection_token] ||
form_authenticity_token == request.headers['X-CSRF-Token']
end
Is this the one?
Regards
Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/
2011/2/21 George Guimarães <george.g...@gmail.com>:
Ronald Rails
"Turn on request forgery protection. Bear in mind that only non-GET,
HTML/JavaScript requests are checked."
But I didnt see where exactly this is implemented.
But thanks a lot Guilherme and George!
On 21 fev, 16:20, Guilherme Silveira
> Hi George,
>
> I did not see where it makes the difference between API request/simple
> request, I probably looked on the wrong method:
>
> # Returns true or false if a request is verified. Checks:
> #
> # * is it a GET request? Gets should be safe and idempotent
> # * Does the form_authenticity_token match the given token value
> from the params?
> # * Does the X-CSRF-Token header match the form_authenticity_token
> def verified_request?
> !protect_against_forgery? || request.get? ||
> form_authenticity_token == params[request_forgery_protection_token] ||
> form_authenticity_token == request.headers['X-CSRF-Token']
> end
>
> Is this the one?
>
> Regards
>
> Guilherme Silveira
> Caelum | Ensino e Inovaçãohttp://www.caelum.com.br/
>
> > Rails by default does not protect API requests, just HTML and javascript
> > requests.
> > So, a request using 'application/json' will not be protect by default.
Guilherme Silveira
I was through another feature and came across the jquery plugin. They
use the a helper method to include the forgery protection tags, I
believe thats why they mention "javascript calls" as safe. Not that
anyone can make that call, but anyone who is using the rails 3 helper
(= only if you, yourself is doing the request within your server?).
Regards
Guilherme Silveira
Caelum | Ensino e Inovação
http://www.caelum.com.br/