Best IT Recipes

Rails API: the best way to implement authentication?

I am writing a Rails 4 application that will open an API for a mobile application that has not yet been developed. Users will authenticate using email and password from a mobile application.

So far I have found quite a lot of information on this topic. It is difficult to understand what is dated or not optimal. I read about HTTP Basic Auth, which doesn't seem too secure, and the Auth HTTP token, but I'm not sure how to relate this to basic email authentication and password authentication (I use the Devise by path).

I just wanted to know what is the best practice on how to implement this, so I will definitely be back.

+65
ruby-on-rails ruby-on-rails-4 rails-api
May 04 '15 at 19:32
source share
4 answers

An important point, from a security point of view, is the exchange of email and a user's password for a token once, and then using this token for subsequent requests. This is because:

  • You do not want the client application to be responsible for holding the user's password, where an error or attack could lead to its leak; and
  • The token selected by the server gives you (and your users) the opportunity, if necessary, to expire the token, for example. block a stolen device or block a bad API client.

There are many ways to do this with various difficulty levels.

Here is a tutorial that is very recent and contains a detailed step-by-step guide for creating APIs in Rails with token-based authentication (not using Devise, but still relevant to understanding concepts): https://labs.kollegorna.se/blog/2015/ 04 / build-an-api-now /

+39
May 05 '15 at 3:51
source share

@ Roma149 is rather a personal preference, but most people who are just starting to use Devise, as this is the easiest IMO. OAuth2 is a good option. As a more important note, you can always go to The Ruby Toolbox

There is a lot of good information about gemstones, and they even tell you about the age and popularity of a gemstone. It will also allow you to discern which stones the community is really showing now, or what is out of date.

Remember that in Ruby and Ruby On Rails is not always better than better, but best suited for your project!

+4
May 05 '15 at 2:08
source share

Another option is to include the module below in your development model and add the auth_token table to you.

application / models / problems / token_authenticable.rb

module TokenAuthenticatable extend ActiveSupport::Concern included do before_save :ensure_auth_token end module ClassMethods def find_by_token(token) find_by(auth_token: token) end end def ensure_auth_token self.auth_token = generate_auth_token if auth_token.blank? end private def generate_auth_token loop do token = Devise.friendly_token break token unless self.class.exists?(auth_token: token) end end end

application / controllers / API / v1 / login_controller.rb

 ... def login_user(params) if params[:authentication] @user = User.find_by(auth_token: params[:authentication]) if @user.nil? render json: err('login user by token failed', ERR_USER_NOT_FOUND), status: :not_found event('login_user_by_auth_failed', 'token', params[:authentication]) return else render status: :ok, json: @user return end else user = user.find_by(email: params[:email]) if user.nil? event('login_user_failed_not_found', 'user_email', params[:email]) render json: err("login user not found #{params[:email]}", ERR_USER_NOT_FOUND), status: :not_found return end if user.access_locked? event('login_user_blocked', 'user_id', user.id) render json: err("login user account is locked : #{user.id}", ERR_USER_LOCKED), status: :unauthorized return end unless user.try(:valid_password?, params[:password]) event("login_user_password_does_not_match #{user.id}", 'user_id', user.id) render json: err('login user password does not match', ERR_PASSWORD_NOT_MATCH), status: :unauthorized return end event('login_user_succeeded', 'user_id', user.id) @user= user if @user.save response.headers['authentication'] = @user.auth_token render status: :ok, json: @user return else render json: @user.errors, status: :unprocessable_entity return end end end ...

Edit: Fixed typo code

+3
May 09 '15 at 1:08
source share

Tiddle gem provides a development strategy for token authentication in Ruby on Rails API applications. Its main feature is the support of several tokens per user .

https://github.com/adamniedzielski/tiddle

+3
Jan 02 '17 at 20:28
source share


More articles:


All Articles