How to prevent users from signing in from several API clients at the same time?

[gonzalo-bulnes]

I opened this issue to reply to the first @halpimded comment in #14.

[ghost]

I suppose we'll need to track some unique token of the device and do a check to verify it matches up with the email/auth token on each request. But that will still leaves the question of having to reset the auth-token upon a successful login which has a new unique device token? Or is there a better approach?

[gonzalo-bulnes]

You re-commented faster than I replied ; )

The users can sign in via the API sending their email / password, right? When doing that, the request is handled by the Devise::SessionController (or some override of it). The action that's triggered is the same Devise::SessionsController#create that is triggered when users are not using the API (e.g. signing in from the webapp).

The question for me is: how can I identify the calls that come via the API from those which don't, so I can renew the users authentication tokens. One response could be: API requests JSON. If your webapp requests HTML, you could override that action to reset the users authentication token when responding to a JSON request.

respond_to do |format|
  format.json do
    # reset the user authentication token
    # then do what the action uses to do
  end

  format.any do
    # keep doing what the action uses to do
  end
end

And BTW that's not directly related to Simple Token Authentication. (Nothing wrong about that!) Does that make sense to you?

Now, of course, if your webapp makes JSON requests to the API (e.g. it's an Ember.js app), then we need to find a way to identify requests that come from users mobile devices... And I don't see in this scenario why you would need to identify each device (as long as you know it's a mobile device, or a user-can't-sign-in-from-two-of-those-at-the-same-time device).