Like no one seems to have any suggestions, this is what I have come up with so far. I do not think this is very good.
I added an API key to the user model, which is created when the user first authenticates:
class User include DataMapper::Resource property :id, Serial, :key => true property :uid, String property :name, String property :nickname, String property :created_at, DateTime property :api_key, String, :key => true end .... get '/auth/:name/callback' do auth = request.env["omniauth.auth"] user = User.first_or_create({ :uid => auth["uid"]}, { :uid => auth["uid"], :nickname => auth["info"]["nickname"], :name => auth["info"]["name"], :api_key => SecureRandom.hex(20), :created_at => Time.now }) session[:user_id] = user.id session[:api_key] = user.api_key flash[:info] = "Welcome, #{user.name}" redirect "/success/#{user.id}/#{user.api_key}" end
If authorization works, api_key is delivered in an Android application, which, presumably, will store it on the device somewhere:
get '/success/:id/:api_key', :check => :valid_key? do user = User.get(params[:id],params[:api_key]) if user.api_key == params[:api_key] {'api_key' => user.api_key}.to_json else error 401 end end
All API calls are protected as in the link in my original post:
register do def check (name) condition do error 401 unless send(name) == true end end end helpers do def valid_key? user = User.first(:api_key => params[:api_key]) if !user.nil? return true end return false end end
For general use, I will only allow SSL connections to the server. Any suggestions for improvement are welcome.