ruby on rails - Using Devise tokens to log in, is this built in?

Question

So, I'm trying to use tokens with Devise (version 1.0.3 with Rails 2.3.8) to let a user log in, but I'm not entirely sure where to begin.

http://zyphdesignco.com/blog/simple-auth-token-example-with-devise

The above tutorial helped me turn on the token functionality, and showed how to generate (or delete) tokens...but the whole POINT of tokens is to use them to authorize a user, correct?

When I look at a user in the console, I can say user.authentication_token, and get something back like: "Qm1ne93n_XkgmQTvxDmm", which is all well and good...but where do I go from there?

I tried hitting the sign_in root using the following command line command:

curl -d "authentication_token=Qm1ne93n_XkgmQTvxDmm" localhost:3000/users/sign_in

And definitely didn't get a successful log in.

In the sessions controller, I see that they call:

authenticate(resource_name)

Which I'm ASSUMING is somewhere in the module:

include Devise::Controllers::InternalHelpers

which gets included, but I don't know where to look for that (it's definitely not in the source's controller folder). If I could look at how authenticate works, I could see if it even LOOKS at tokens...

DOES Devise let you actually log in with tokens, or does it just have a framework for generating them? If it does let you log in with them...HOW do you do this? Can you not use curl (i.e. does it have to be in a browser? If so, I'd hafta roll my own solution, I NEED non-browser support.). If it doesn't, how do I roll my own?

Answer 1

My understanding is that you can use the tokens to log in or to hit arbitrary pages that need authentication, even with cURL. If you look in config/initializers/devise.rb, there should be a line that says something like:

config.token_authentication_key = :auth_token

Whatever the name of the token_authentication_key is should match what you put as the query or form parameter in your request. You used authentication_token in your example, not sure if you changed devise.rb to match that or not.

If you want to figure out how things are working internally, I would try git clone git://github.com/plataformatec/devise.git and search for the methods you need clarification of.

Here are some sample cURL requests (I made a custom Users::SessionsController that extends Devise::SessionsController and overrides the create method to handle JSON.)

class Users::SessionsController < Devise::SessionsController
  def create
    resource = warden.authenticate!(:scope => resource_name, :recall => "#{controller_path}#new")
    set_flash_message(:notice, :signed_in) if is_navigational_format?
    sign_in(resource_name, resource)

    respond_to do |format|
      format.html do
        respond_with resource, :location => redirect_location(resource_name, resource)
      end
      format.json do
        render :json => { :response => 'ok', :auth_token => current_user.authentication_token }.to_json, :status => :ok
      end
    end
  end
end 

And then the cURL requests I gave:

curl -X POST 'http://localhost:3000/users/sign_in.json' -d 'user[email][email protected]&user[password]=password'
-> {"response":"ok","auth_token":"ABCDE0123456789"}

curl -L 'http://localhost:3000/profile?auth_token=ABCDE0123456789'
-> got page that I wanted that needs authentication