doorkeeper
doorkeeper
Doorkeeper Guides
Ruby on Rails
Getting Started
Routes
Configuration
Scopes
Securing the API
API Mode
PKCE Flow
Grape
Grape
ORMs
Active Record
MongoDB
Sequel
Couchbase
Internals
Database Design
Internationalization (i18n)
Rake
Cleaning Up
Testing
Upgrading
Concepts
Application
Resource Owner
Access Grant
Access Token
Security
Token and Application Secrets
Configuration
Scopes
Skip Authorization
Other Configurations
Route Constraints and other integrations
Powered by GitBook

Securing the API

To protect your controllers (usual one or ActionController::API) with OAuth, you just need to setup before_actions specifying the actions you want to protect. For example:

class Api::V1::ProductsController < Api::V1::ApiController
  before_action :doorkeeper_authorize! # Requires access token for all actions
  
  # before_action -> { doorkeeper_authorize! :read, :write }
  # your actions
end

You can pass any option before_action accepts, such as if, only, except, and others.

Authenticated resource owner

If you want to return data based on the current resource owner, in other words, the access token owner, you may want to define a method in your controller that returns the resource owner instance:

class Api::V1::CredentialsController < Api::V1::ApiController
  before_action :doorkeeper_authorize!
  respond_to    :json
  # GET /me.json
  def me
    respond_with current_resource_owner
  end
  private
  # Find the user that owns the access token
  def current_resource_owner
    User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token
  end
end

In this example, we're returning the credentials (me.json) of the access token owner.

Ruby on Rails - Previous
Scopes
Next - Ruby on Rails
API Mode
Last updated 8 months ago
Edit on GitHub