This snippet shows how TokenAuthenticatable works in Devise today.

December 17, 2013 ยท View on GitHub

In case you want to maintain backwards compatibility, you can ditch

devise's token mechanism in favor of this hand-rolled one. If not,

it is recommended to migrate to the mechanism defined in the following

snippet (2_safe_token_authenticatable.rb).

In both snippets, we are assuming the User is the Devise model.

class User < ActiveRecord::Base

You likely have this before callback set up for the token.

before_save :ensure_authentication_token

def ensure_authentication_token if authentication_token.blank? self.authentication_token = generate_authentication_token end end

private

def generate_authentication_token loop do token = Devise.friendly_token break token unless User.where(authentication_token: token).first end end end

With a token setup, all you need to do is override

your application controller to also consider token

lookups:

class ApplicationController < ActionController::Base

This is our new function that comes before Devise's one

before_filter :authenticate_user_from_token!

This is Devise's authentication

before_filter :authenticate_user!

private

For this example, we are simply using token authentication

via parameters. However, anyone could use Rails's token

authentication features to get the token from a header.

def authenticate_user_from_token! user_token = params[:user_token].presence user = user_token && User.find_by_authentication_token(user_token.to_s)

if user
  # Notice we are passing store false, so the user is not
  # actually stored in the session and a token is needed
  # for every request. If you want the token to work as a
  # sign in token, you can simply remove store: false.
  sign_in user, store: false
end

end end