Best IT Recipes

API Authentication Definition

I am working on a rails web application that also provides a JSON-based API for mobile devices. It is expected that mobile clients will first receive a token with (email / pass), then clients will make subsequent API calls with a token.

I am new to Devise and I am looking for a Devise API similar to authenticate(email, pass) and expect it to return true / false, then based on this I will either create and return a token, or return a failure message, but it seems like Devise does not provide something like this.

I know that Devise 1.3 provides JSON-based authentication, but this is slightly different from what I need - I need to generate a token and process it back to the client, and then, after the authentication is completed, using the token.

Can someone please give some pointers?

+45
json ruby api ruby-on-rails devise
Sep 30 '11 at 18:55
source share
4 answers

There is a device configuration called :token_authenticatable . So, if you add this to the devise method in your "user", then you can authenticate with your API just by calling

 "/api/v1/recipes?qs=sweet&auth_token=[@user.auth_token]"

You probably want this for your user too:

 before_save :ensure_authentication_token

UPDATE (with API authorization code)

The method you are looking for:

 resource = User.find_for_database_authentication(:login=>params[:user_login][:login]) resource.valid_password?(params[:user_login][:password])

here is my point with full-blown JSON / API login using devise

+48
Sep 30 '11 at 19:36
source share

I would recommend reading the Devise Wiki , as Devise initially supports token authentication as one of its modules. I personally have not worked with token authentication in Devise, but Brandon Martin has an example of a token validation example here .

+2
Sep 30 '11 at 19:09
source share

The developer is based on Warden, an authentication middleware for Rack.

If you need to implement your (alternative) way of user authentication, you should take a look at Warden in combination with the strategies that come with Devise: https://github.com/plataformatec/devise/tree/master/lib/devise/strategies

+1
Sep 30 '11 at 19:09
source share

If the auth token is simply not what you want to do, you can also return the cookie and include the client file in the request header file. It is very similar to a web session controller.

In the API Interface

 class Api::V1::SessionsController < Devise::SessionsController skip_before_action :authenticate_user! skip_before_action :verify_authenticity_token def create warden.authenticate!(:scope => :user) render :json => current_user end end

In routes

 namespace :api, :defaults => { :format => 'json' } do namespace :v1 do resource :account, :only => :show devise_scope :user do post :sessions, :to => 'sessions#create' delete :session, :to => 'sessions#destroy' end end end

Then you can do such things (examples use HTTPie )

 http -f POST localhost:3000/api/v1/sessions user[email]=user@email.com user[password]=passw0rd

Response headers will have a session in the Set-Cookie header. Put this value in subsequent queries.

 http localhost:3000/api/v1/restricted_things/1 'Cookie:_my_site_session=<sessionstring>; path=/; HttpOnly'
0
Oct. 21 '14 at 5:40
source share


More articles:


All Articles