I'm still fresh in Rails so that question might be trivial.
Rails app explanation
- Rails 7
- Ruby 3.1.2
- Devise (API and web)
I've got Rails 7 app which is a single page dashboard app with Devise to login users and show data from 3rd party PHP API App. The idea is that PHP APP is sending a POST request to my Rails 7 app to create a user. Under the hood Rails app creates a user and in the response sends user_id and link to reset password for newly created user - PHP APP uses this link to send it to the user via email (I know, Devise can handle this but that's the requirement). After the user receives the email he can change his password and logging into the Rails app.
Problem explanation
I want to give ability to create user in Rails app via request POST request made from PHP APP. The issue here is that I'm not sure if I can leave this POST endpoint public. It seems that I am exposing myself to an easy attack. I would like to implement the API Key which will be attached, probably inside headers.
My controller looks super simple:
class Api::V1::UsersController < ActionController::API
def create
user = User.new(email: user_params[:email], password: user_params[:password])
if user.save
render(json: {
user: {
id: user.id,
email: user.email,
devise_link: 'some_link',
},
})
else
render(json: { error: user.errors.full_messages }, status: :unprocessable_entity)
end
end
private
def user_params
params.permit(:email, :password)
end
end
I have read a lot, truly a lot of articles on how to set up OAuth or OAuth2 but none of them seem to be suitable for my simple case because I want to protect endpoint for user creation. I tried to use Doorkeeper (which probably will be the best in nearly future for me) but again, provided docs example doesn't look like it fits my simple case.
Should I leave this endpoint public or does Rails have some gem that supports my case?