Gape api auth example

base_api.rb

# app/controllers/api/v1/base_api.rb

class Api::V1::BaseAPI < Grape::API
  class AccessDenied < ArgumentError; end
  class InvalidToken < ArgumentError; end

  Grape::Endpoint.class_eval do
    def abilities
      @abilities ||= Six.new
    end

    def can?(action, subject)
      abilities << subject
      abilities.allowed?(current_user, action, subject)
    end

    def authorize!(action, subject = self)
      raise AccessDenied unless can?(action, subject)
    end

    def current_user
      @current_user
    end

    def authenticate_current_user!(access_token)
      @current_user = ::User.find_by! :single_access_token => access_token
    rescue ActiveRecord::RecordNotFound
      raise InvalidToken
    end
  end
end

friends_api.rb

# app/controllers/api/v1/users/friends_api.rb

class Api::V1::Users::FriendsAPI < Api::V1::BaseAPI
  namespace 'users/:user_id' do
    resource :friends do
      helpers ::Api::V1::UserHelper

      params do
        requires :access_token, :type => String
      end

      get '/' do
        authenticate_current_user! params[:access_token]
        authorize! :friends, resource_user

        friends = resource_user.friends
        present :friends, friends, :with => ::Api::V1::UserEntity
      end
    end
  end
end