So, I'm trying to use tokens with Devise (version 1.0.3 with Rails 2.3.8) to let a user log in, but I'm not entirely sure where to begin.
http://zyphdesignco.com/blog/simple-auth-token-example-with-devise
The above tutorial helped me turn on the token functionality, and showed how to generate (or delete) tokens...but the whole POINT of tokens is to use them to authorize a user, correct?
When I look at a user in the console, I can say user.authentication_token, and get something back like: "Qm1ne93n_XkgmQTvxDmm", which is all well and good...but where do I go from there?
I tried hitting the sign_in root using the following command line command:
curl -d "authentication_token=Qm1ne93n_XkgmQTvxDmm" localhost:3000/users/sign_in
And definitely didn't get a successful log in.
In the sessions controller, I see that they call:
authenticate(resource_name)
Which I'm ASSUMING is somewhere in the module:
include Devise::Controllers::InternalHelpers
which gets included, but I don't know where to look for that (it's definitely not in the source's controller folder). If I could look at how authenticate works, I could see if it even LOOKS at tokens...
DOES Devise let you actually log in with tokens, or does it just have a framework for generating them? If it does let you log in with them...HOW do you do this? Can you not use curl (i.e. does it have to be in a browser? If so, I'd hafta roll my own solution, I NEED non-browser support.). If it doesn't, how do I roll my own?
My understanding is that you can use the tokens to log in or to hit arbitrary pages that need authentication, even with cURL. If you look in config/initializers/devise.rb
, there should be a line that says something like:
config.token_authentication_key = :auth_token
Whatever the name of the token_authentication_key
is should match what you put as the query or form parameter in your request. You used authentication_token
in your example, not sure if you changed devise.rb to match that or not.
If you want to figure out how things are working internally, I would try git clone git://github.com/plataformatec/devise.git
and search for the methods you need clarification of.
Here are some sample cURL requests (I made a custom Users::SessionsController that extends Devise::SessionsController and overrides the create method to handle JSON.)
class Users::SessionsController < Devise::SessionsController
def create
resource = warden.authenticate!(:scope => resource_name, :recall => "#{controller_path}#new")
set_flash_message(:notice, :signed_in) if is_navigational_format?
sign_in(resource_name, resource)
respond_to do |format|
format.html do
respond_with resource, :location => redirect_location(resource_name, resource)
end
format.json do
render :json => { :response => 'ok', :auth_token => current_user.authentication_token }.to_json, :status => :ok
end
end
end
end
And then the cURL requests I gave:
curl -X POST 'http://localhost:3000/users/sign_in.json' -d 'user[email][email protected]&user[password]=password'
-> {"response":"ok","auth_token":"ABCDE0123456789"}
curl -L 'http://localhost:3000/profile?auth_token=ABCDE0123456789'
-> got page that I wanted that needs authentication