rails-api

I'm writing a Rails 4 app that will expose an API for a mobile app that's yet to be developed. Users will authenticate using an e-mail and password from the mobile app. While I've found quite a bit of information on the topic. It's hard to discern what's dated or non-optimal. I've read about HTTP Basic Auth, which doesn't seem too secure, and HTTP Token-based Auth, but I'm not sure on how to couple that with regular e-mail and password authentication (I'm using Devise by the way). I'd just like to know what's the current best practice on how to implement this, so I'll be sure to be going the

I'd like my Rails 5 API-only app, for now running on http://localhost:3000 , to only accept requests from my NodeJS front-end app, for now running on http://localhost:8888 . So I configured /config/initializers/cors.rb like this: Rails.application.config.middleware.insert_before 0, Rack::Cors do allow do origins "http://localhost:8888" resource "*", headers: :any, methods: [:get, :post, :put, :patch, :delete, :options, :head] end end And I wrote this test: #/spec/request/cors_request_spec.rb RSpec.feature "CORS protection", type: :request do it "should accept a request from a whitelisted

I'm building a simple api with Rails API , and want to make sure I'm on the right track here. I'm using devise to handle logins, and decided to go with Devise's token_authenticatable option, which generates an API key that you need to send with each request. I'm pairing the API with a backbone/marionette front end and am generally wondering how I should handle sessions. My first thought was to just store the api key in local storage or a cookie, and retrieve it on page load, but something about storing the api key that way bothered me from a security standpoint. Wouldn't be be easy to grab the