I believe that I've set up everything such that single_access_token should be sufficient to pull a user's session.
The scenario is: Bob uses Firefox and creates an account on LoginUI (http:// www.coolaj86.info/loginui). Instead of using cookies, Bob's single_access_token comes in the response to the request. LoginUI submits Bob's single_access_token with every request (essentially using it as though it were the persistence token). Bob clicks 'account settings' and changes his password, but the request fails.
The request fails because the record is not found (presumably it's trying to find Bob by the persistence token rather than the single access token.
I've been very thorough in looking through the documentation, but I must be missing something. What is it that I'm neglecting?
class UsersController < ApplicationController def update # params[:user_credentials].inspect shows the correct 'xxxSingle_Access_Tokenxxx' user_hash = RegisteredUserSession.find.record user = RegisteredUser.find(user_hash) user.update(params[:user]) user.save
respond_to do |format| format.json { head :ok } end end
private def single_access_allowed? true end end
class UserSession < Authlogic::Session::Base allow_http_basic_auth = true params_key = 'user_credentials' single_access_allowed_request_types = :all end
class RegisteredUserSession < UserSession end
class User < ActiveRecord::Base set_table_name "users" attr_accessible :display_name, :email, :password
acts_as_authentic do |c| c.require_password_confirmation = false end
class << self def public_hash(obj) { :display_name => obj.display_name, :email => obj.email, :single_access_token => obj.single_access_token, :errors => obj.errors } end end end
class RegisteredUser < User attr_accessible :display_name, :email, :password
validates_presence_of :display_name validates_length_of :password, :within=>6..254
acts_as_authentic do |c| c.require_password_confirmation = false c.change_single_access_token_with_password = true c.email_field = 'email' end end