如何销毁经过令牌验证的用户的会话（“注销”）

发布于 2024-11-19 16:08:57 字数 403 浏览 1 评论 0原文

对于使用 :token_authenticatable 的 Devise 用户模型，曾经

class Voter < ActiveRecord::Base
  devise :token_authenticatable
end

有一个名为 destroy_user_session 的路由，以便您可以通过链接到 destroy_user_session_path 来注销用户代码>.这似乎在最近的版本中发生了变化——现在只有 :database_authenticable 为我创建了一条销毁路由。

那么，对于使用令牌身份验证的用户来说，实施“注销”/“注销”操作来结束会话的正确方法是什么？

原文

For Devise user models that use :token_authenticatable, like so

class Voter < ActiveRecord::Base
  devise :token_authenticatable
end

there used to be a route called destroy_user_session, so that you could log users out by linking to destroy_user_session_path. This seems to have changed in recent versions -- now only :database_authenticatable creates a destroy route for me.

So for users that use token authentication, what is the proper way to implement a "log out"/"sign out" action to end their sessions?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

岁月打碎记忆 2024-11-26 16:08:57

默认情况下，当您通过令牌登录时，Devise 会就像在数据库身份验证策略中一样，将用户存储在会话中。

您可以通过在 Devise 初始值设定项中将 stateless_token 设置为 true 来禁用此功能：

Devise.setup do |config|
  config.stateless_token = true
end

这样，每个请求都必须提供令牌。

据我了解，令牌身份验证旨在与数据库身份验证一起使用。如果您的模型是database_authenticatable，则devise_for只会添加会话路由。这似乎是 Devise 方面的一个小疏忽，但在我看来，让用户处于会话状态的访问令牌一开始对我来说没有多大意义。

不管怎样，尝试手动定义 Devise 会话的路由。

改编自 Devise 的路由助手（未经测试的代码）：

as :user do  # User scope
  resource :session, :controller => 'devise/sessions' do
    # new_user_session | GET /users/sign_in => devise/sessions#new
    get :new, :path => 'sign_in', :as => "new"

    # user_session | POST /users/sign_in => devise/sessions#create
    post :create, :path => 'sign_in'

    # destroy_user_session | GET /users/sign_out => devise/sessions#destroy
    get :destroy, :path => 'sign_out', :as => "destroy"
  end
end

在任何案例，文档devise_for helper 指定创建哪些路由以及它们指向什么。

By default, when you sign in via token, Devise will store the user in session just like in the database authentication strategy.

You can disable this by setting stateless_token to true in the Devise initializer:

Devise.setup do |config|
  config.stateless_token = true
end

This way, the token must be provided with every request.

As I understand it, token authentication was designed to be used together with database authentication. devise_for will only add the session routes if your model is database_authenticatable. This seems like a minor oversight on Devise's part, but in my opinion, access tokens leaving the user in session doesn't make much sense to me to begin with.

Anyway, try to define the routes to Devise's sessions manually.

Adapted from Devise's routing helpers (untested code):

as :user do  # User scope
  resource :session, :controller => 'devise/sessions' do
    # new_user_session | GET /users/sign_in => devise/sessions#new
    get :new, :path => 'sign_in', :as => "new"

    # user_session | POST /users/sign_in => devise/sessions#create
    post :create, :path => 'sign_in'

    # destroy_user_session | GET /users/sign_out => devise/sessions#destroy
    get :destroy, :path => 'sign_out', :as => "destroy"
  end
end

In any case, the documentation for the devise_for helper specifies which routes are created and what they point to.

回复收藏 0 原文

~没有更多了~