Spree Commerce

Try It Now

Devise Authentication

Posted on December 21, 2010 by Sean Schofield

The edge code has just been updated to use the new Devise gem for authentication, replacing the previous solution of Authlogic. People who have been following the source code closely will recall that we attempted this switch earlier but backed away from it once we encountered various difficulties. So what made us decide to try again?

The first reason is that we were given assurances from Devise author, Jose Valim, that it would be possible to provide all of the customization options that we would require. The second reason is that we came to realize that the migration to Devise would make it easier to allow authentication via social networking services. Such work is already underway in the new spree_social gem.

We have updated the security guide in the edge documentation to reflect these recent changes as well as some new documentation on the Cancan permissions system that we introduced in the Spree 0.30.x release. Special thanks to John Brien, (Rails Dog’s newest hire), who has been working tirelessly on this effort.

Updated REST API

Posted on November 30, 2010 by Sean Schofield

The edge version of Spree has just been updated with a newly refactored implementation of the REST API. Most of these changes involve behind the scenes implementation details as well as improved test coverage. There are, however, a few non trivial changes that you should be aware of if you rely on older versions of the REST API.

New Authentication Mechanism

The most significant change to the REST API is related to authentication. The recent adoption of Devise for authentication in general has resulted in new opportunities to improve authentication for the API specifically.

Prior to Spree 0.40.x the old method of authentication was to pass an authentication token in the header. This involved using the specially designated X-SpreeAPIKey header and passing a corresponding token value. The new approach is to use standard HTTP_AUTHORIZATION which is already nicely implemented by Devise.

If you were using curl you could achieve this authentication as follows:


<p>curl -u V8WPYgRdSZN1mSQG17sK:x /<br />
http://example.com/api/orders.json</p>

Note that we are using the token as the "user name" and passing "x" as a password here. There is nothing special about "x", its just a placeholder since many HTTP Basic Authentication implementations require a password to be submitted. In our case the token is sufficient so we use a placeholder for the password.

Support for .json Suffix

It is now recommended that you consider using a .json suffic in your URL when communicating via the REST API. This is technically not a new feature – it was always possible in older versions of the REST API. We’ve updated the documentation to suggest this simpler apporach (which avoids the necessity of passing Accept:application/json in the header.)


<p>curl -u V8WPYgRdSZN1mSQG17sK:x http://example.com/api/orders.json</p>

Spree 0.30.1 Released

Posted on November 17, 2010 by Sean Schofield

Spree 0.30.1 has been officially released. This is a minor patch release that addresses some minor bugs in the previous 0.30.0 release. It also fixes some recent issues with a new restriction on routes introduced by Rails 3.0.2. For a complete list of changes, please see the Github compare.

Spree 0.30.0 Released

Posted on November 09, 2010 by Sean Schofield

The Spree team is proud to (finally) announce the release of Spree 0.30.0. Spree is now officially compatible with Rails 3.x after almost five months of relentless work. In addition to Rails 3 support, we took this opportunity to refactor a lot of the internals and to improve our test coverage.

According to the Github
compare
, this
release consisted of 666 distinct commits by 25 different authors and
touching 2,609 different files. The number of files is a bit overstated
because we moved almost every file in the project as we reorganized
things – but still, there were a ton of changes in this release. The
official release
notes
are available on the Spree site.

I want to thank everyone in the Spree community – especially those that contributed code and patches for the release. It took a lot longer than we wanted but we also took a huge step towards a more solid and standards-based foundation. Don’t worry, we won’t be resting after this release either. We’re looking to drop some major authentication improvements this month as well as to roll out 0.30.x compatible versions of several extensions. We’ve also started work on the new "social" extensions as promised.