DEV Community

Guide to devise_token_auth: Simple Authentication in Rails API

Risa Fujii on February 09, 2019

I wanted to create an authentication system for my Rails API, but one thing about APIs (with no client) is that you can't use sessions or cookies f...

Read full post

Masroor Hussain • Oct 26 '20

that extend Devise::Models is on point and needs to be done for this to work. Thanks!

Risa Fujii • Nov 12 '20

Happy to hear it! :D

Comment hidden by post author - thread only accessible via permalink

Daveyon Mayne 😻 • Dec 29 '19

Gonna add this as I'm sure many will find this useful. ✊🏽

Rails.application.config.middleware.insert_before 0, Rack::Cors do
    [...]
      expose: ['access-token', 'uid', 'client'],
    [...]
  end
end

Johan Baaij • Jan 13 '20

Thanks! devise_token_auth works great for me and I found your other article about testing useful as well.

But :)! What if you do need to store some session data? I'm trying to authenticate with the Discogs API which involves generating a request token, going to their website to authorize, which then redirects you to a callback route on the Rails API. What's the correct way to persist that request token in between those two requests?

Is it bad practice to just store it in a DB column for the user?

Risa Fujii • Jan 14 '20 • Edited

Hi! Thanks for reading, and I’m happy to hear it helped 😄
Please take my ideas below with a grain of salt, since I don’t know your specific use case and I haven't used the Discogs API.

generating a request token, going to their website to authorize, which then redirects you to a callback route on the Rails API.

I’m guessing from this description that your app has a browser client? In that case, you should be able to use session storage normally and store it like this: session[:discogs_token] = <the request token>
If you used Rails’s API mode when initializing your project (the --api flag), sessions won’t be available to you by default so it looks like you’ll have to configure a few things: stackoverflow.com/q/15342710/11249670

On the other hand, if you're supposed to store the token for a long time (longer than the session), then storing it in the DB sounds like a good idea.
For example, in a different blog post that I linked below, I talk about refresh tokens, which are supposed to be reused in every session.
In this blog post's case, I store normal access tokens in the session, and refresh tokens in the DB.

Beginner’s guide to OAuth: Understanding access tokens and authorization codes using Google API

Risa Fujii ・ Aug 16 '19 ・ 7 min read

#oauth #authentication #ruby

Hope this helps somewhat!

Johan Baaij • Jan 15 '20

Thanks for taking the time to get back to me. My API is consumed by a Vue.js client (using vue-auth). I've tried all the different middlewares and setting api mode to false but always see my session contents emptied.

Ah well! For now I'm saving the request_token in my DB until the callback is called. And yes, the access_token is needed for using the API once authorized.

Risa Fujii • Jan 16 '20 • Edited

No problem, sorry I can't be more helpful. If your issue is that you can't use session at all with your configuration (not just for devise_token_auth), it might be a good question for Stack Overflow. Best of luck!

Masroor Hussain • Oct 26 '20

I had to do
require 'devise_token_auth' in the routes.rb file, otherwise I was getting this error:
NoMethodError (undefined method `mount_devise_token_auth_for' for #ActionDispatch::Routing::Mapper:0x...)

Github issue here

Risa Fujii • Nov 12 '20

Thanks for reading and for the comment! I'll add a note in the post :)

Lee Smith 🍻 • Mar 1 '19

You actually can use session cookies for API authentication...as long as the API client is a web browser. Given that caveat, I thought this approach was interesting because it takes advantage of the battle-tested CSRF protection already built into Rails.

pragmaticstudio.com/tutorials/rail...

Risa Fujii • Mar 10 '19

Thank you for your comment! Perhaps I should've specified - I meant Rails API with no front-end when I was talking about not being able to use sessions.

Daveyon Mayne 😻 • Dec 26 '19

It's nice to let readers know that Devise gem must be installed first 🙃

Risa Fujii • Dec 31 '19

Hi, thanks for the comment. I imagine that if you add devise_token_auth to your Gemfile and run bundle, the Devise gem would be added as a dependency (so you don't need to install Devise separately). Is this not the case?

Daveyon Mayne 😻 • Dec 31 '19

Hi. It's not the case with Rails 6 API in my case. I do not know why. My Gemfile:

# Authentication
gem 'devise'
gem 'devise_token_auth'

Risa Fujii • Jan 1 '20 • Edited

Happy new year :)
Hmm, that's strange. Out of curiosity, I created a new repo and followed my own tutorial. I had to make some updates in the article to compensate for changes made in devise, but I didn't have to include the devise gem in the Gemfile. Feel free to check out the project: github.com/risafj/demo-for-devise-...

Daveyon Mayne 😻 • Jan 1 '20

I had a fresh copy of the api installed using ruby 2.5.0. If I remove the devise gem, the auth breaks lol I know this is weird. I'll upgrade both ruby and rails and try again. But yea, I believe something weird is happening with my setup.

Thanks.

Daveyon Mayne 😻 • Jan 1 '20

To update. Another fresh installation with ruby 2.7.0 and Rails 6.0.2.1 and all is well (production). Weird, I know. 😅

Risa Fujii • Jan 1 '20

Hmm... we may never find out why 😂 Glad it’s working now though! Thanks for the update!

Fabian Torres M • Jan 28 '23

Hello everyone, I have two questions, I hope you can help me,

1.- How do I connect social login?
2.- How do I use the password recovery module from a mobile?

Can you help me with any suggestion?

I already saw the documentation, but it makes me confused especially in recovering password

Thank you

Dallas Goldswain • Apr 20 '20

Awesome post! Exactly what I was looking for.

Risa Fujii • Apr 21 '20

Thanks for the comment, happy to hear it helped!

Babar Ali • Dec 7 '22

Thanks for the post.. But I am just wondering about how we can implement forgot password using this as I am unable to understand whatever is written in the documentation about this flow. That would be great if you add a post for that too.

Santiago Pinchao • May 4 '21

Thanks for the article! This file
config/initializers/devise_token_auth.rb

Is important too, for example with the time life of a token

Nelcifran • May 14 '19

Nice, this help me today...Thanks

Risa Fujii • May 15 '19

Hi, happy to hear it! :)

Rafael Oliveira • Oct 25 '19

Hi!
Nice post, only add below statement: "extends Devise::Models" to begin User's model, after devise_token_auth install. This to rails version 6.

something else is ok :)

Risa Fujii • Dec 31 '19

Just saw this - thank you, I will add it as a note in the post!

chowderhead • May 25 '19

Nailed it ! thanks for your work!

chowderhead • May 25 '19

this is a very difficult topic.. thanks for covering it for us noobies

Risa Fujii • May 26 '19

Thanks for the comment! Happy to hear it helped :)

Adelaja Jeremiah Anuoluwapo • May 28 '20

Hi. Thanks for the tutorial, but I have a little challenge customizing the session controller .... I will be glad if I can get a little assistance in that regard...
Jerry A.
jesyontop01@gmail.com

Risa Fujii • May 30 '20 • Edited

Hi, what kind of issue are you having? You'll probably have a better time asking on the devise_token_auth's Github issues or Stack Overflow, but maybe I could take a look!