[openstreetmap/openstreetmap-website] OAuth2 support? (#1408)
mmd
notifications at github.com
Mon Oct 12 21:08:16 UTC 2020
For the sake of documenting my doorkeeper mini-proof of concept, I'm listing a few points that I thought might be worthwhile checking.
Gemfile:
```
+ gem "doorkeeper"
```
Beyond the default doorkeeper installation, I also installed:
- https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-views
- https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-PKCE-flow
- https://github.com/doorkeeper-gem/doorkeeper/wiki/Associate-users-to-OAuth-applications-(ownership)
Respective generate commands:
- rails generate doorkeeper:views
- rails generate doorkeeper:pkce
- rails generate doorkeeper:application_owner
-
Some migrations need an additional `safety_assured` to pass.
app/controllers/api/users_controller.rb:
Enable OAuth token check with "read" scope for details endpoint:
```rails
class UsersController < ApiController
before_action :disable_terms_redirect, :only => [:details]
+
+ before_action -> { authorize_if_got_token! :read }, :only => [:details]
+
before_action :authorize, :only => [:details, :gpx_files]
```
app/controllers/api_controller.rb:
Some ideas taken from https://github.com/tootsuite/mastodon/blob/master/app/controllers/api/base_controller.rb#L114. It's not clear if this a reasonable approach. Additional methods are only relevant for API endpoints.
```
+ # Find the user that owns the access token
+ def current_user
+ if doorkeeper_token
+ User.find(doorkeeper_token.resource_owner_id)
+ else
+ super
+ end
+ end
+
+ def current_resource_owner
+ @current_user ||= User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token
+ end
+
+ def authorize_if_got_token!(*scopes)
+ doorkeeper_authorize!(*scopes) if doorkeeper_token
+ end
end
```
app/models/user.rb:
(changes were described on some of the doorkeeper wiki pages mentioned earlier on)
```
has_many :reports
+
+ has_many :access_grants, class_name: "Doorkeeper::AccessGrant",
+ foreign_key: :resource_owner_id,
+ dependent: :delete_all
+
+ has_many :access_tokens, class_name: "Doorkeeper::AccessToken",
+ foreign_key: :resource_owner_id,
+ dependent: :delete_all
+
+ has_many :oauth_applications, class_name: 'Doorkeeper::Application', as: :owner
```
config/routes.rb:
Use /oauth2/... to avoid interference with current oauth/ endpoints
```
OpenStreetMap::Application.routes.draw do
+ use_doorkeeper :scope => 'oauth2'
+
# API
```
doorkeeper.rb needs at least a custom implementation for:
* resource_owner_authenticator:
* admin_authenticator
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/1408#issuecomment-707346587
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20201012/a296a6f2/attachment.htm>
More information about the rails-dev
mailing list