This snippet shows how TokenAuthenticatable works in Devise today.
December 17, 2013 ยท View on GitHub
In case you want to maintain backwards compatibility, you can ditch
devise's token mechanism in favor of this hand-rolled one. If not,
it is recommended to migrate to the mechanism defined in the following
snippet (2_safe_token_authenticatable.rb).
In both snippets, we are assuming the User is the Devise model.
class User < ActiveRecord::Base
You likely have this before callback set up for the token.
before_save :ensure_authentication_token
def ensure_authentication_token if authentication_token.blank? self.authentication_token = generate_authentication_token end end
private
def generate_authentication_token loop do token = Devise.friendly_token break token unless User.where(authentication_token: token).first end end end
With a token setup, all you need to do is override
your application controller to also consider token
lookups:
class ApplicationController < ActionController::Base
This is our new function that comes before Devise's one
before_filter :authenticate_user_from_token!
This is Devise's authentication
before_filter :authenticate_user!
private
For this example, we are simply using token authentication
via parameters. However, anyone could use Rails's token
authentication features to get the token from a header.
def authenticate_user_from_token! user_token = params[:user_token].presence user = user_token && User.find_by_authentication_token(user_token.to_s)
if user
# Notice we are passing store false, so the user is not
# actually stored in the session and a token is needed
# for every request. If you want the token to work as a
# sign in token, you can simply remove store: false.
sign_in user, store: false
end
end end