Using auth_token from request headers instead from POST/PUT parameters with Rails 3 / devise

ruby-on-rails authentication devise token
GeorgieF picture GeorgieF · Sep 13, 2011 · Viewed 19.6k times · Source

I need to use token based authentication in a Rails 3.1 API in conjunction with the most recent version of devise. No problem so far.

Now I do not want to append my :auth_token to the POST/PUT parameters on client side but send this token as a request header like HTTP_X_MYAPP_AUTH_TOKEN".

Can I convince devise from using that rather than a token from parameters? Is it possible to implement both, so that my API users can send the token via request header OR POST/PUT parameter?

Regards. Felix

Answer

Chris Conley picture Chris Conley · Sep 28, 2011

I had the same need and came up with this solution:

class YourController < ApplicationController
  prepend_before_filter :get_api_key
  before_filter :authenticate_user!

  private
  def get_api_key
    if api_key = params[:api_key].blank? && request.headers["X-API-KEY"]
      params[:api_key] = api_key
    end
  end
end

Note I have my devise Devise.token_authentication_key set to api_key.

config.token_authentication_key = :api_key

Related questions

Extending Devise SessionsController to authenticate using JSON

I am trying to build a rails API for an iphone app. Devise works fine for logins through the web interface but I need to be able to create and destroy sessions using REST API and I want to use …

Read More
RoR Devise: Sign in with username OR email

What's the best way to enable users to log in with their email address OR their username? I am using warden + devise for authentication. I think it probably won't be too hard to do it but i guess i need …

Read More
Rails, Devise authentication, CSRF issue

I'm doing a singe-page application using Rails. When signing in and out Devise controllers are invoked using ajax. The problem I'm getting is that when I 1) sign in 2) sign out then signing in again doesn't work. I think it's related …

Read More