I’m creating a web service with Rails 3.1 that requires authenticated user accounts for creating/managing content. It also requires an authorization scheme for transient ‘users’ accessing the content – they do not have accounts, but will simply provide a password furnished to them by the user who created the content in their requests.
I’m thinking the best strategy is to keep the two separate, not creating accounts for the transient users, representing them as a separate model associated with the content.
My question is whether this is something I should build from scratch, or whether I can get sufficient leverage from one of the existing authentication gems for it. And if the latter, how I would go about configuring it to manage two different strategies.
Turns out I don’t really need an authentication gem. While the implementation isn’t finished, it appears a combination of Rails 3.1’s has_secure_password and CanCan will work well for this.
Here’s Ryan Bate’s tutorial for using has_secure_password: http://asciicasts.com/episodes/270-authentication-in-rails-3-1
The idea is to use has_secure_password on both the User and Content models, and implement current_user such that it creates a transient User when the password is provided, setting a password property on that transient user.Then the implementation of the init method in CanCan’s Ability class will verify the transient user’s password against the content in a can block.