To protect your controllers (usual one or ActionController::API
) with OAuth, you just need to setup before_action
s specifying the actions you want to protect. For example:
class Api::V1::ProductsController < Api::V1::ApiControllerbefore_action :doorkeeper_authorize! # Requires access token for all actions# before_action -> { doorkeeper_authorize! :read, :write }# your actionsend
You can pass any option before_action
accepts, such as if
, only
, except
, and others.
If you want to return data based on the current resource owner, in other words, the access token owner, you may want to define a method in your controller that returns the resource owner instance:
class Api::V1::CredentialsController < Api::V1::ApiControllerbefore_action :doorkeeper_authorize!respond_to :json# GET /me.jsondef merespond_with current_resource_ownerendprivate# Find the user that owns the access tokendef current_resource_ownerUser.find(doorkeeper_token.resource_owner_id) if doorkeeper_tokenendend
In this example, we're returning the credentials (me.json
) of the access token owner.