Fantastic video Chris!
Question: Is this what websites use when you get an email from them for say, update your password, and when you click the link in the email it takes you directly to your user account not having to login at all. (Assuming that your cookies haven't recently been cleared and the browser isn't using those.)
Exactly! Devise uses a "reset_password_token" that gets sent over email to you. When you click the link, the token is in the url and then gets put in the new password form. When you submit the form, it looks up your user by that token and then updates your password and signs you in.
So slick, and relatively easy to do. Makes you wonder why some sites (big retail ones) have such crappy implementations of this type of thing.
Doesn't that get a bit dangerous if the user forwards their email to someone else? We had a scenario where a HR Manager was forwarding an email to people in their team, which then got emailed to people in the business. Before you know it people are logging in as HR Manager and could potentially see salary information etc.
Is this why we expire tokens for the one's sent out on emails etc?
Definitely wise to have expirations on tokens. Also you will probably want to tell your users to keep the token secret (like don't commit it into a git repo for example). There's not much way around that because any API token is going to let you access the site on behalf of a user since that's what they are designed for. Just want to make sure to educate users to protect their tokens just like they would their password.
Thanks for a great article! I've been looking for something like this for a while. Something i would love if someone could cover is also how to use my Rails app as a backend for my mobile app. This would go a long way of course but how do you login via a Rails api the first time when you might not have this token saved? this is a question i have been looking for an answer to for a while.
I have a user created with the authentication token from my web sign up flow, now how do I check for a valid user_id and password combination from my mobile Login flow?
Once I have the auth_token, I can make all the requests, but I am unable to do that.
Usually you will want your mobile app to submit the email/username and password to the sign in endpoint with a JSON format. You can then have the sign in return you JSON for the user, namely the auth_token. That way your mobile app can create its own form, submit the login request, and if it's successful, you can receive JSON for the API key.
That totally makes sense. However, I am not sure how to handle the request from the mobile client and search for the user to respond back with the API key. I tried creating a sessions controller to handle this, but that does not work. Any thoughts on what I am doing wrong?
Looks like you're on the right track. Step through that and make sure each piece is running like you expect. I would imagine it's something simple in there that's not working right.