API Tokens with Devise Token Authenticatable Discussion
Fantastic video Chris!
Question: Is this what websites use when you get an email from them for say, update your password, and when you click the link in the email it takes you directly to your user account not having to login at all. (Assuming that your cookies haven't recently been cleared and the browser isn't using those.)
Exactly! Devise uses a "reset_password_token" that gets sent over email to you. When you click the link, the token is in the url and then gets put in the new password form. When you submit the form, it looks up your user by that token and then updates your password and signs you in.
So slick, and relatively easy to do. Makes you wonder why some sites (big retail ones) have such crappy implementations of this type of thing.
Doesn't that get a bit dangerous if the user forwards their email to someone else? We had a scenario where a HR Manager was forwarding an email to people in their team, which then got emailed to people in the business. Before you know it people are logging in as HR Manager and could potentially see salary information etc.
Is this why we expire tokens for the one's sent out on emails etc?
Definitely wise to have expirations on tokens. Also you will probably want to tell your users to keep the token secret (like don't commit it into a git repo for example). There's not much way around that because any API token is going to let you access the site on behalf of a user since that's what they are designed for. Just want to make sure to educate users to protect their tokens just like they would their password.
Thanks for a great article! I've been looking for something like this for a while. Something i would love if someone could cover is also how to use my Rails app as a backend for my mobile app. This would go a long way of course but how do you login via a Rails api the first time when you might not have this token saved? this is a question i have been looking for an answer to for a while.
I'm in the same boat, ideally devise, doorkeeper, and omniauth for third party api called layer.com for android has been a grind to find help on.
I have two applications. One is Rails API consumer app and another is a legacy Php one which responds with JSON API. APIs are used for user registration and login. Can I use Devise for authenticatiing users in consumer app?
Devise and doorkeeper in rails 4 for third party api services for android would be amazing.
FYI, layer.com is the api I'm talking about.
I have a user created with the authentication token from my web sign up flow, now how do I check for a valid user_id and password combination from my mobile Login flow?
Once I have the auth_token, I can make all the requests, but I am unable to do that.
Usually you will want your mobile app to submit the email/username and password to the sign in endpoint with a JSON format. You can then have the sign in return you JSON for the user, namely the auth_token. That way your mobile app can create its own form, submit the login request, and if it's successful, you can receive JSON for the API key.
That totally makes sense. However, I am not sure how to handle the request from the mobile client and search for the user to respond back with the API key. I tried creating a sessions controller to handle this, but that does not work. Any thoughts on what I am doing wrong?
Looks like you're on the right track. Step through that and make sure each piece is running like you expect. I would imagine it's something simple in there that's not working right.
Chris, when the server responses either to login action or any loggedin action later on how the token gets saved in the client browser (assuming you are using request.headers instead of params)? How does this differ from the html request version?
How do you return the token via JSON to the user after signing in in devise?