No nosso caso, temos a necessidade de usar o Discourse apenas como backend (mais ou menos como um CMS).
Exponho as rotas de cadastro e login usando:
skip_before_action :redirect_to_login_if_required, raise: false
skip_before_action :verify_authenticity_token, raise: false
… e permiti as rotas em api_parameter_allowed?. Na versão final, farei algum tipo de salt apenas para adicionar um pouco mais de segurança, mas isso é apenas um rascunho.
… e usei o código abaixo.
Tudo o que quero saber é se perdi algo. No futuro, provavelmente faremos login com o Google, talvez com a Apple, e esse fluxo me permitiria não abrir um navegador para os fluxos de cadastro por e-mail e login por e-mail.
I’ve figured out how to do the sign up and login all via API and hopefully everything is fine.
I use this to create a user
normalized_username = User.normalize_username(username)
rescue
normalized_username = nil
end
raise PluginError.new(:invalid_signup_username) if !normalized_username.present? || User.username_exists?(normalized_username) || User.reserved_username?(normalized_username)
# Try like this
raise PluginError.new(:invalid_signup_email) if (existing_user = User.find_by_email(email))
begin
new_user = User.new
new_user.name = first_name
new_user.email = email
new_user.password = password
new_user.username = username
new_user.active = false
new_user.approved = true
new_user.approved_by_id = -1
new_user.approved_at = DateTime.now
new_user.password_required!
new_user.save
new_user.email_tokens.create(email: email) unless new_user.email_tokens.active.exists?
if (email_token = new_user.email_tokens.active.where(email: email)&.first)
EmailToken.confirm(email_token.token, skip_reviewable: true)
end
new_user.update!(active: true)
rescue => e
raise e
end
I use this to sign up a user
new_user = self.class.commit_user_to_db(first_name, email, password, username)
raise PluginError.new(:error_creating_user_discourse) unless new_user.present? && new_user.is_a?(User) && new_user.approved?
user_api_key = UserApiKey.create!(
application_name: "#{application_name}-v#{version}",
client_id: client_id,
user_id: new_user.id,
push_url: "https://api.discourse.org/api/publish_#{platform === Constants::PLATFORMS[:ios] ? 'ios' : ''}#{platform === Constants::PLATFORMS[:android] ? 'android' : ''}",
scopes: %w[notifications session_info read write message_bus push]
)
I get the user api key using
email = params[:email]&.to_s
password = params[:password]&.to_s
return render json: PluginError.new(:invalid_login_email) unless email.present?
return render json: PluginError.new(:invalid_login_password) unless password.present?
user = User.joins(:user_emails).where({ user_emails: { email: email } })&.first
return render json: PluginError.new(:invalid_login_email) unless user.present?
return render json: PluginError.new(:invalid_login_password) unless user.confirm_password?(password)
#destroy any old keys we had for this client_id
UserApiKey.where(user_id: user.id, client_id: client_id).destroy_all
user_api_key = UserApiKey.create!(
application_name: "#{application_name}-v#{version}",
client_id: client_id,
user_id: user.id,
push_url: "https://api.discourse.org/api/publish_#{platform === Constants::PLATFORMS[:ios] ? 'ios' : ''}#{platform === Constants::PLATFORMS[:android] ? 'android' : ''}",
scopes: %w[notifications session_info read write message_bus push]
)
Is this ok from discourse POV?
Our users will never go on the website, and we want to hide it from all places.