How to add token authentication to an API?

[ramidr]

I'm trying to add a secure API for my rails app, which it uses Devise for the user authentication and a mobile app will be able to use this API.

I'm following this tutorial: http://lucatironi.github.io/tutorial/2012/10/15/ruby_rails_android_app_authentication_devise_tutorial_part_one/ but it uses the deprecated authentication token.

My question is if I install this gem, and configure the models and controllers, I will be able to use the old methods like verify_authenticity_token?

Do you know another way or tutorial in which explain how to authenticated in a mobile app through Devise rails app?

[gonzalo-bulnes]

Hello @ramidr,

Short answer: no, do won't be able to use the old Devise methods, but yes, you'll be able to provide token authentication to your API users.

Since Devise is installed, once you specified which of your models should act as token authenticatable (i.e will be able to authenticate against the API), and which of your controllers should act as authentication handlers (i.e will require users to be token authenticated to acceed their actions), then you API clients only have to provide the users authentication token and email in order to acceed protected resources.
The gem README provides more details on each of those steps.

The API clients authentication is one of the primary use cases of Simple Token Authentication and you shouldn't need to do anything but the default setup to get it working. Keep me updated!

Regards

[ramidr]

Thanks a lot Gonzalo!

[ricardodovalle]

@ramidr could you post the solution?
Thanks

[ramidr]

I have some questions yet but the simple example is like @gonzalo-bulnes explain in the gem usage:

1. I've create an API structure like Prevent loading of Mongoid adapter when reasonable #350 RailsCast tutorial: http://railscasts.com/episodes/350-rest-api-versioning
2. Install 'simple_token_authentication'
3. Add acts_as_token_authenticatable to my User model
4. Add :authentication_token attribute to User table through migrations
5. Add acts_as_token_authentication_handler_for User In /controllers/api/v1/products_controller.rb

Finally you could call through your API client by two ways or methods:

http://10.10.10.200:3000/api/products?user_email=example@example.com&user_token=jQu7y1oi41P6d7igCJNL

or

http://10.10.10.200:3000/api/products and headers:
X-User-Email:example@example.com
X-User-Token:jQu7y1oi41P6d7igCJNL

[ramidr]

My questions for @gonzalo-bulnes is if is it a good practice to send the token in plain because is like a password and this is must be send encrypted.

And other question...someone know how could I log in with a mobile app? I want log in with my mobile app through my API and if it is correct, user can access to the rest of API.
Must I create devise log in methods in my API controller? any ideas?

thanks!

[gonzalo-bulnes]

@ramidr You're welcome; and thanks for helping @ricardodovalle, that's great!

About your first question: as soon as there are users involved, I personally consider that SSL TLS must be enabled.
That being said, tokens can be easily renewed without requiring the users to change their passwords, that's why we use them instead of the users passwords.

Note: How to renew an authentication token:

1. set the users authentication_token attribute to nil
2. a new token will be generated automatically before the user is saved.

About your second question: if you want to sign users in from a mobile device, then you probably should ensure the Devise::SessionsController responds to JSON. Take a look at this comment, I think it's what you're looking for. If something remains unclear about the sessions controller, please post your questions in #27 to keep topics separated. : )

Edit: update HTTPS recommendation, add link to documentation! : )

[gonzalo-bulnes]

@ramidr, @ricardodovalle I'm editing the issue title, don't get confused! ; )

[Sjors]

I wrote a blog post explaining how I used this gem to create a simple JSON API that an app can communicate with. I also created a sample project.

[gonzalo-bulnes]

Hi @Sjors,

Your article is cool, thanks for announcing it here. As a kind of see also, here are some discussions which have relation with some issues you pointed:

Currently only one app can login at the same time for each user, because the token is replaced during login. One solution could be to modify simple_token_authentication to store an array of tokens.

See the #26 and #24 topics.

The only thing I changed is setting authentication_token to nil at logout so that if the token is compromised it can’t be used again.

See #34 : )

Regards!