ambition/app/controllers/sessions_controller.rb

class SessionsController < ApplicationController

  # 除登录之外，其余接口必须在登录状态下访问
  before_action :authenticate, except: [ :create ]
  skip_before_action :verify_authenticity_token, :only => [:create,:destroy,:show]


  def create
    user = User.find_by(email: params[:email])
    if user && user.authenticate(params[:password])
      session[:user_id] = user.id
      render status: :ok, text: 'ok'
    else
      render status: :unauthorized, text: 'account or password is not correct'
    end
  end

  def destroy
    session.delete :user_id
    @current_user &&= nil
    render status: :ok, nothing: true
  end

  def show
    render 'show'
  end
end