问题
What is the best way to find a registered user with token authentication? The way I currently do it is to query the db for the token the app sends to access the api. E.g. 'user = User.where(:authentication_token => params[:authtoken]).first '. Is this safe?
I have seen code that uses warden.authenticate and another that does the ff: the client sends the email along with the authtoken. It then uses the email to find the user and then does a devise secure compare with the sent token and the token of the user it found in the db email query. This was the solution in the devise token authenticable gist to roll your own token auth.
Should i be sending an email along with token in every request?
回答1:
Devise removed token_authenticateable due to security concerns, but as you've suggested you can still implement it yourself. There is some good discussion and recommendations in this gist: https://gist.github.com/josevalim/fb706b1e933ef01e4fb6
Specifically I would take a look at Devise.secure_compare which is used in the second solution and takes care of some of your concerns around the safety of your approach, especially with regard to timing attacks.
来源:https://stackoverflow.com/questions/21970504/custom-devise-api-token-auth