I wanted to create an authentication system for my Rails API, but one thing about APIs (with no client) is that you can't use sessions or cookies for authentication.
So instead, I used the gem devise_token_auth, which uses tokens. Put simply, this is how it works: when you make HTTP requests to sign up or log in, the response headers give you authentication tokens, which you send in subsequent HTTP requests' headers to prove that you're authenticated.
While the official docs provide most of the information you need, there were a few points that I found confusing so I'm leaving this article for future reference. Hope it helps!
Note: Guide is for Linux or MacOS.
Implementation Steps
Please also feel free to check out the bare-bones repository I created, as a proof of concept for how to use this gem.
1. Install devise_token_auth
Add the following to your Gemfile, then run bundle from your command line:
gem 'devise_token_auth'
2. Generate necessary files
Execute this from your command line.
rails g devise_token_auth:install User auth
This will do many things, including:
- Create a
Usermodel, which stores information such as users' email addresses, and a corresponding migration file - Add a line in your
config/routes.rbfile specifying the route for authentication endpoints like sign up or sign in (If you want it routed somewhere other than/auth/, swap out the "auth" in the command with something else)
For the exhaustive list of what this command does, check out the docs.
Update
According to Rafael's comment below, it's now necessary to add extend Devise::Models to the User model file generated here. Details can be found in this Github issue.
Hi!
Nice post, only add below statement: "extends Devise::Models" to begin User's model, after devise_token_auth install. This to rails version 6.
something else is ok :)
3. Migrate your database
Run rails db:migrate in your command line to apply the migration file that was created in step #2, which probably looks something like db/migrate/YYYYMMDDTTTT_devise_token_auth_create_users.rb.
4. Configure your initializer file
Go to your config/initializers/devise_token_auth.rb file (also created in the rails g command in step #2).
Again, the docs have the complete list of configurations you can make, but to give an example:
config.change_headers_on_each_request = false
By default, the authorization headers change with each request. This means that you would get back new tokens with each request, and you would have to send back different tokens each time. I wanted to be able to keep using the same tokens, so I turned it off by setting it to false.
Reusing your tokens is not the best security practice, so it may be better to use fresh tokens each time in production.
5. Disable forgery protection for JSON requests
Rails controllers have pre-set measures against Cross-Site Request Forgery (CSRF) attacks. This involves comparing tokens in the rendered HTML to tokens that Rails stores automatically in your session, but for APIs, we have no sessions and will use our own tokens so it's unnecessary (explained here).
It's important to remember that XML or JSON requests are also affected and if you're building an API you should change forgery protection method in ApplicationController (by default: :exception)
So go ahead and disable forgery check for JSON format requests, in app/controllers/application_controller.rb.
Note: Only do this if all your requests come in through your API.
class ApplicationController < ActionController::Base
protect_from_forgery unless: -> { request.format.json? }
end
Notes/Caveats
- Skipping this step should result in this error:
ActionController::InvalidAuthenticityToken in DeviseTokenAuth::RegistrationsController#create. - If your
ApplicationControllerinherits fromActionController::API(which should be the case if you initialized the project with the--apiflag), this step should be unnecessary as there is no forgery protection by default.
6. Try signing up a user
Now, let's try signing up a test user. Boot up your Rails server from the command line with rails s, and send a HTTP POST request to localhost:3000/auth/ (or your custom route) with the following parameters.
{
"email": "test@email.com",
"password": "password",
"password_confirmation": "password"
}
It should return status 200 - success. Now your authentication system works!
7. Add authentication to your controller
Next, add a line in the respective controller file to make authentication necessary. For example, let's say we're building an API for a database that stores information on books. We have the file books_controller.rb for adding or deleting books from the database. We want to authenticate the user before they add or delete entries.
class BooksController < ApiController
before_action :authenticate_user!
# Code for methods such as create and delete should come here.
end
Now, any time you send a HTTP request to any methods in your books controller, an error will be returned unless you're authenticated.
Actual Usage
I mentioned earlier that the HTTP request for signing up users is a POST request to localhost:3000/auth/. As for the full list of methods (e.g. logging users in/out, and changing their passwords), please refer to the docs. You can see what request type, route, and parameters are required.
Finally, let's talk about actual usage. Here are the steps involved:
- Send authentication request (sign up or sign in)
- Status 200 is returned, with valid authentication tokens in the headers
- In your next request, send those tokens in your headers
The required token categories are:
- access-token
- client
- uid
It's that simple!
I wanted to also discuss tips for testing, but since this is getting long, I will write that in a separate post. Thanks for reading :)
Update
Here is the article on testing!
Additional Update
It seems like the trackable module was dropped from the devise gem, which devise_token_auth is based on. So the default configuration in the User model, which includes :trackable, is likely to raise an error like this: NoMethodError: undefined method 'current_sign_in_at'.
For details on how to resolve this, see the links below:
Latest comments (37)
Hello everyone, I have two questions, I hope you can help me,
1.- How do I connect social login?
2.- How do I use the password recovery module from a mobile?
Can you help me with any suggestion?
I already saw the documentation, but it makes me confused especially in recovering password
Thank you
Thanks for the post.. But I am just wondering about how we can implement forgot password using this as I am unable to understand whatever is written in the documentation about this flow. That would be great if you add a post for that too.
Once logged in, how do I make requests using the generated token? For ex: A GET request: localhost:3000/clients
As written in the article - you set the token in your request headers!
I cannot create user. Am I supposed to use devise for registration instead?
However, creating user from the console then logging in works fine.
No, you should be able to use device_token_auth. Are you getting some kind of error message when you try to create a user by hitting the endpoint?
Sorry, my bad. Fixed it.
Great tutorial! Works fine with Rails 6.1.4 and Ruby 3.0.1
Thanks for the article! This file
config/initializers/devise_token_auth.rbIs important too, for example with the time life of a token
I had to do
require 'devise_token_auth'in the routes.rb file, otherwise I was getting this error:NoMethodError (undefined method `mount_devise_token_auth_for' for #ActionDispatch::Routing::Mapper:0x...)
Github issue here
Thanks for reading and for the comment! I'll add a note in the post :)
that
extend Devise::Modelsis on point and needs to be done for this to work. Thanks!Happy to hear it! :D
Hi. Thanks for the tutorial, but I have a little challenge customizing the session controller .... I will be glad if I can get a little assistance in that regard...
Jerry A.
jesyontop01@gmail.com
Hi, what kind of issue are you having? You'll probably have a better time asking on the devise_token_auth's Github issues or Stack Overflow, but maybe I could take a look!
Awesome post! Exactly what I was looking for.
Thanks for the comment, happy to hear it helped!
Some comments may only be visible to logged-in visitors. Sign in to view all comments. Some comments have been hidden by the post's author - find out more