UPDATE:就像@DustMason 在他的回答中所说的那样，看看很棒的 embercasts 用于身份验证***实践.

UPDATE: Like @DustMason says in his answer, check out the awesome embercasts for authentication best-practices.

• 客户端身份验证第一部分
• 客户端身份验证第二部分

为了将视图(Ember 应用程序)与服务器(Rails 应用程序)完全分开，我想使用令牌身份验证.我可能会在 Rails 服务器上使用 Devise.

In order to completely separate the view (Ember app) from the server (Rails app) I want to use token authentication. I will likely use Devise on the Rails server.

有道理.

我需要在 Ember 应用程序中使用类似 before_filter 之类的东西，我可以在其中检查是否有当前用户以及该用户是否设置了身份验证令牌.

I need something like a before_filter equivalent in the Ember app where I can check if there is a current user and if that user has an authentication token set.

你可以在路由上添加一个 enter 钩子，这大致相当于一个 before_filter.但不确定这是检查身份验证令牌的***位置.

You can add an enter hook on routes, this is roughly equivalent to a before_filter. But not sure that's the best place to check for an auth-token.

Rails 服务器将在每次调用时返回当前的身份验证令牌.

The Rails server will return the current auth token on every call.

有道理.我们使用 cookie-auth 并通过调用 /api/me 获取当前用户配置文件，但两者都应该可以工作.

Makes sense. We use cookie-auth and fetch current user profile by calling /api/me but either should work.

如果它返回一个空身份验证令牌，Ember 应用程序应该检测到这一点并转换到未经身份验证的状态，重定向到登录视图.

If it returns a null auth token the Ember app should detect this and transition to the unauthenticated state, redirecting to the login view.

这种方法的问题在于(与 rails 不同)保护"对特定 ember 路线的访问并不容易.并且无论用户如何总是可以弹出打开的 JS 控制台并输入他们想要的任何状态.因此，不要考虑只有经过身份验证的用户才能进入此状态"，而要考虑如果未经身份验证的用户以某种方式导航到此路线会怎样"

Thing about this approach is that (unlike rails) it's not easy to "protect" access to a particular ember routes. And no matter what a user can always pop open JS console and enter whatever state they want. So instead of thinking "user can only get into this state if authenticated" consider "what if unauthenticated user somehow navigates to this route"

我怀疑我应该为此使用 Ember 状态机，但我不确定如何继续.有人解决过这个问题吗?

I suspect I should be using an Ember state machine for this but I'm not sure how to proceed. Anyone tackled this problem yet?

我们的身份验证需求非常简单，因此我们还没有发现对状态机的需求.相反，我们在 ApplicationController 上有一个 isAuthenticated 属性.当用户未通过身份验证时，我们在 application.hbs 中使用此属性将主视图替换为登录表单.

Our auth needs are pretty simple so we've not found the need for a state machine. Instead we have an isAuthenticated property on ApplicationController. We use this property in application.hbs to replace the main view with a login form when a user is not authenticated.

{{if isAuthenticated}}
  {{render "topnav"}}
  {{outlet}}
{{else}}
  {{render "login"}}
{{/if}}

从 ApplicationRoute，我们获取用户配置文件:

From ApplicationRoute, we fetch user profile:

App.ApplicationRoute = Ember.Route.extend({
  model: function() {
    var profiles;
    profiles = App.Profile.find({ alias: 'me' });
    profiles.on("didLoad", function() {
      return profiles.resolve(profiles.get("firstObject"));
    });
    return profiles;
  }
});

然后我们的 ApplicationController 根据返回的配置文件计算它的 isAuthenticated 属性.

Then our ApplicationController computes it's isAuthenticated property based on the profile that was returned.