I have been experimenting with providing API for my own Rails 3 app and I implemented the OAuth-provider. With OAuth-provider, access_token is the king. Now, my idea is my users will invoke the API like:
GET requests (e.g. for listing the instances of a “Comment” resource) – curl ‘http://127.0.0.1:3000/comments.xml?access_token=4fcdab32-3777-4fc0-85fd-71f4ef5c7986’
POST requests (e.g. posting a form for creating a new comment) – curl -F “text=incredible article!” -F “access_token=4fcdab32-3777-4fc0-85fd-71f4ef5c7986” -F “article_id=1” http://127.0.0.1:3000/comments.xml
(All the requests are on SSL in production).
I implemented the Rack middleware as: https://gist.github.com/2582579 – basically, it looks at the request and sets the associated user_id in the session if the request has valid access_token.
It works well for GET requests, but fails for POST request. The session I modified in the Middleware is simply not available in ApplicationController in the same request!
I have made sure that
use ActionDispatch::Session::CookieStore appears “before” my Rack Middleware.
What confuses me is it works for GET requests and not for POST requests.
Does this make sense?
Any idea what I may be doing wrong? (Almost about to give up on Rack and resorting to before_filter …)