Using Devise tokens to log in, is this built in?

J.R. picture J.R. · Jan 7, 2011 · Viewed 20.4k times · Source

So, I'm trying to use tokens with Devise (version 1.0.3 with Rails 2.3.8) to let a user log in, but I'm not entirely sure where to begin.

http://zyphdesignco.com/blog/simple-auth-token-example-with-devise

The above tutorial helped me turn on the token functionality, and showed how to generate (or delete) tokens...but the whole POINT of tokens is to use them to authorize a user, correct?

When I look at a user in the console, I can say user.authentication_token, and get something back like: "Qm1ne93n_XkgmQTvxDmm", which is all well and good...but where do I go from there?

I tried hitting the sign_in root using the following command line command:

curl -d "authentication_token=Qm1ne93n_XkgmQTvxDmm" localhost:3000/users/sign_in

And definitely didn't get a successful log in.

In the sessions controller, I see that they call:

authenticate(resource_name)

Which I'm ASSUMING is somewhere in the module:

include Devise::Controllers::InternalHelpers

which gets included, but I don't know where to look for that (it's definitely not in the source's controller folder). If I could look at how authenticate works, I could see if it even LOOKS at tokens...

DOES Devise let you actually log in with tokens, or does it just have a framework for generating them? If it does let you log in with them...HOW do you do this? Can you not use curl (i.e. does it have to be in a browser? If so, I'd hafta roll my own solution, I NEED non-browser support.). If it doesn't, how do I roll my own?

Answer

Anthony Panozzo picture Anthony Panozzo · Jan 12, 2011

My understanding is that you can use the tokens to log in or to hit arbitrary pages that need authentication, even with cURL. If you look in config/initializers/devise.rb, there should be a line that says something like:

config.token_authentication_key = :auth_token

Whatever the name of the token_authentication_key is should match what you put as the query or form parameter in your request. You used authentication_token in your example, not sure if you changed devise.rb to match that or not.

If you want to figure out how things are working internally, I would try git clone git://github.com/plataformatec/devise.git and search for the methods you need clarification of.

Here are some sample cURL requests (I made a custom Users::SessionsController that extends Devise::SessionsController and overrides the create method to handle JSON.)

class Users::SessionsController < Devise::SessionsController
  def create
    resource = warden.authenticate!(:scope => resource_name, :recall => "#{controller_path}#new")
    set_flash_message(:notice, :signed_in) if is_navigational_format?
    sign_in(resource_name, resource)

    respond_to do |format|
      format.html do
        respond_with resource, :location => redirect_location(resource_name, resource)
      end
      format.json do
        render :json => { :response => 'ok', :auth_token => current_user.authentication_token }.to_json, :status => :ok
      end
    end
  end
end 

And then the cURL requests I gave:

curl -X POST 'http://localhost:3000/users/sign_in.json' -d 'user[email][email protected]&user[password]=password'
-> {"response":"ok","auth_token":"ABCDE0123456789"}

curl -L 'http://localhost:3000/profile?auth_token=ABCDE0123456789'
-> got page that I wanted that needs authentication