• in the coffee shop
  • not using their sucky bandwidth
  • using personal hotspot
  • profit
def create
    respond_to do |format|
      format.json {
        @activity =  Activity.find(params[:activity_id])
        # validate that this user is the current user...
        @user =  @activity.user
        @pomodoro = Pomodoro.new(params[:pomodoro])
        @pomodoro.activity = @activity

        respond_to do |format|
          if @pomodoro.save
            render json: @activity, status: :created, location: @activity
          else
            render json: @activity.errors, status: :unprocessable_entity
          end
        end

      }
    end
  end

Updating a new controller in pomodoro service that works on existing activities. No reason to nest this under the user, as the user can be gotten from the activity. That means that you need to verify the current user is the user making the json call.