Devise API authentication [closed]

Answer 1

If token auth just isn't what you want to do, you can also return a cookie and have the client include the cookie in the request header. It works very similar to the web sessions controller.

In an API sessions controller

class Api::V1::SessionsController < Devise::SessionsController

  skip_before_action :authenticate_user!
  skip_before_action :verify_authenticity_token

  def create
    warden.authenticate!(:scope => :user)
    render :json => current_user
  end

end

In Routes

namespace :api, :defaults => { :format => 'json' } do
  namespace :v1 do
    resource :account, :only => :show
    devise_scope :user do
      post :sessions, :to => 'sessions#create'
      delete :session, :to => 'sessions#destroy'
    end
  end
end

Then you can do this sort of thing (examples are using HTTPie)

http -f POST localhost:3000/api/v1/sessions user[email]=user@email.com user[password]=passw0rd

The response headers will have a session in the Set-Cookie header. Put the value of this in subsequent requests.

http localhost:3000/api/v1/restricted_things/1 'Cookie:_my_site_session=<sessionstring>; path=/; HttpOnly'

Answer 2

Devise is based on Warden, an authentification middleware for Rack.

If you need to implement your own (alternative) way to authenticate a user, you should have a look at Warden in combination with the strategies that ship with Devise: https://github.com/plataformatec/devise/tree/master/lib/devise/strategies

Answer 3

I would recommend reading through the Devise Wiki, as Devise natively supports token authentication as one of it's modules. I have not personally worked with token authentication in Devise, but Brandon Martin has an example token authentication example here.

Answer 4

There is a devise configuration called :token_authenticatable. So if you add that to the devise method in your "user", then you can authenticate in your API just by calling

"/api/v1/recipes?qs=sweet&auth_token=[@user.auth_token]"

You'll probably want this in your user as well:

before_save :ensure_authentication_token

UPDATE (with API authorization code)

The method you're looking for are:

resource = User.find_for_database_authentication(:login=>params[:user_login][:login])
resource.valid_password?(params[:user_login][:password])

here's my gist with a full scale JSON/API login with devise