I am developing a Rails application that will be consumed from my own mobile application. I am new to Rails and therefore feel a little lost. I want to achieve the following:
• Mobile app users should be able to log in using Facebook and invite their friends.
• Users must be authorized to call the API.
To protect the API (I read so many posts so far), I decided to do the following:
• Use the Devise gem on the service side using token_authenticatable to authenticate the client API, that is, my mobile application.
The workflow is as follows:
• In the client application: log in using facebook and get a valid token.
• In the client application: the Facebook token is sent to the service.
• In the service: using the FB chart, I will be sure that the user is real.
o If they exist in my db, I will create a token token for api.
o Also, I will add them to my db and create a token for api.
In my controllers, I use before_filter :authenticate_user! but it seems to authenticate the user forever. My questions:
• Is this the best way to do this?
• What if the api token is intercepted? Other users will be able to make calls on api using this token?
Any articles, books, throws will be appreciated.
source share