doorkeeper
Search…
Doorkeeper Guides
Ruby on Rails
Getting Started
Routes
Configuration
Scopes
Securing the API
API Mode
PKCE Flow
Polymorphic Resource Owner
Grape
Grape
ORMs
Active Record
MongoDB
Sequel
Couchbase
Internals
Database Design
Internationalization (i18n)
Rake
Testing
Upgrading
Creating extensions
Concepts
Application
Resource Owner
Access Grant
Access Token
Security
Token and Application Secrets
Configuration
Models
Scopes
Skip Authorization
Other Configurations
Route Constraints and other integrations
Powered By GitBook
Securing the API
To protect your controllers (usual one or ActionController::API) with OAuth, you just need to setup before_actions specifying the actions you want to protect. For example:
1
class Api::V1::ProductsController < Api::V1::ApiController
2
before_action :doorkeeper_authorize! # Requires access token for all actions
3
4
# before_action -> { doorkeeper_authorize! :read, :write }
5
6
# your actions
7
end
Copied!
You can pass any option before_action accepts, such as if, only, except, and others.

Authenticated resource owner

If you want to return data based on the current resource owner, in other words, the access token owner, you may want to define a method in your controller that returns the resource owner instance:
1
class Api::V1::CredentialsController < Api::V1::ApiController
2
before_action :doorkeeper_authorize!
3
respond_to :json
4
5
# GET /me.json
6
def me
7
respond_with current_resource_owner
8
end
9
10
private
11
12
# Find the user that owns the access token
13
def current_resource_owner
14
User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token
15
end
16
end
Copied!
In this example, we're returning the credentials (me.json) of the access token owner.
Ruby on Rails - Previous
Scopes
Next - Ruby on Rails
API Mode
Last modified 2yr ago
Copy link