Skip to main content

Join GoRails to continue learning

Subscribe to GoRails to get access to this episode and all other pro episodes, and new awesome content every month.

Subscribe Now
Only $19/month

Login to your account

21

API Tokens with Devise Token Authenticatable

Episode 35 · December 12, 2014

Learn how to create simple API tokens for authentication with Devise

APIs Authentication


Transcripts

Subscribe or login to view the transcript for this episode.

Discussion


Fallback

Yes!! I have been waiting for this one. I need to watch it still, but thanks!


Fallback

Fantastic video Chris!

Question: Is this what websites use when you get an email from them for say, update your password, and when you click the link in the email it takes you directly to your user account not having to login at all. (Assuming that your cookies haven't recently been cleared and the browser isn't using those.)

Fallback

Exactly! Devise uses a "reset_password_token" that gets sent over email to you. When you click the link, the token is in the url and then gets put in the new password form. When you submit the form, it looks up your user by that token and then updates your password and signs you in.

Fallback

So slick, and relatively easy to do. Makes you wonder why some sites (big retail ones) have such crappy implementations of this type of thing.

Thanks!

Fallback

Maybe they aren't using something as friendly as Ruby on Rails. ;-)

Fallback

Doesn't that get a bit dangerous if the user forwards their email to someone else? We had a scenario where a HR Manager was forwarding an email to people in their team, which then got emailed to people in the business. Before you know it people are logging in as HR Manager and could potentially see salary information etc.

OR

Is this why we expire tokens for the one's sent out on emails etc?

Fallback

Definitely wise to have expirations on tokens. Also you will probably want to tell your users to keep the token secret (like don't commit it into a git repo for example). There's not much way around that because any API token is going to let you access the site on behalf of a user since that's what they are designed for. Just want to make sure to educate users to protect their tokens just like they would their password.


Fallback

Thanks for a great article! I've been looking for something like this for a while. Something i would love if someone could cover is also how to use my Rails app as a backend for my mobile app. This would go a long way of course but how do you login via a Rails api the first time when you might not have this token saved? this is a question i have been looking for an answer to for a while.

Fallback

You would have to have an API endpoint for user creation that doesn't require an API key. It would be just like having a form on a website more or less. Check this out for a decent example on how to build an endpoint like this: http://stackoverflow.com/a/...

Fallback

I'm in the same boat, ideally devise, doorkeeper, and omniauth for third party api called layer.com for android has been a grind to find help on.


Fallback

I have two applications. One is Rails API consumer app and another is a legacy Php one which responds with JSON API. APIs are used for user registration and login. Can I use Devise for authenticatiing users in consumer app?


Fallback

Devise and doorkeeper in rails 4 for third party api services for android would be amazing.

FYI, layer.com is the api I'm talking about.


Fallback

I have a user created with the authentication token from my web sign up flow, now how do I check for a valid user_id and password combination from my mobile Login flow?
Once I have the auth_token, I can make all the requests, but I am unable to do that.

Fallback

@excid3:disqus any thoughts on this?

Fallback

Usually you will want your mobile app to submit the email/username and password to the sign in endpoint with a JSON format. You can then have the sign in return you JSON for the user, namely the auth_token. That way your mobile app can create its own form, submit the login request, and if it's successful, you can receive JSON for the API key.

Fallback

That totally makes sense. However, I am not sure how to handle the request from the mobile client and search for the user to respond back with the API key. I tried creating a sessions controller to handle this, but that does not work. Any thoughts on what I am doing wrong?

Fallback

Looks like you're on the right track. Step through that and make sure each piece is running like you expect. I would imagine it's something simple in there that's not working right.


Fallback

Chris, when the server responses either to login action or any loggedin action later on how the token gets saved in the client browser (assuming you are using request.headers instead of params)? How does this differ from the html request version?


Fallback

How do you return the token via JSON to the user after signing in in devise?


Login or create an account to join the conversation.