Reputation: 10888
What is the correct way to use Devise gem authentication with Mobile (Rails)
I am using Devise gem for web authentication in my Application.
Now i am about to write a mobile app for my Application which includes Sign in / Sign up process.
What is the correct way i should use to sign in a user and authenticate each call made by the user from the mobile app?
Which of the below strategy is correct? (i am not sure which method to follow to be more secure)
Note : You can view the above image in https://i.sstatic.net/I13uT.png (will be more clear)
FYI : I am using Titanium to develop mobile app and my backend server runs Rails app
Upvotes: 3
Views: 1951
Answers (2)
Reputation: 2432
I'm not sure how #1 is secure at all since none of the subsequent requests are signed in any way. If someone knew the file structure of your app they could just access it that way, right?
With Devise, you can set an attribute on your User model to allow users to be authenticated via token:
class User < ActiveRecord::Base
devise :token_authenticatable
# there are other details and options on this, but this is the relevant piece
end
On each controller you can also verify that the user is authenticated by including before_filter :authenticate_user! at the beginning:
class PostsController < ActionController::Base
before_filter :authenticate_user!
end
When making requests from the mobile app, include the auth_token in the request so that the Rails app can authenticate before responding.
Beyond authentication, you may also be interested in something like CanCan to handle authorization as well.
Upvotes: 2
Reputation: 4520
Model #1 isn't secure, you aren't passing any sort of authentication on subsequent requests to validate that the user is still who they say they are.
What I'm presuming you really want to know is, what's the best way to verify the user is who they say they are, after logging in. I've answered this previously, Exposing Rails/Devise Authentication to iOS application and the same answer applies here.
Using token authentication in Devise will match model #2, and is also the most secure since you exchange the username/password for a token rather than having to store their username and password and reuse it with every request.
Upvotes: 3
Related Questions
- Ruby on Rails 'Devise' login through mobile fails
- Using the new Devise for authentication for a mobile app
- Rails + iOS authentication without devise
- How to log in automatically using Device after registration?
- Mobile App webframe Authentication with Rails Devise
- Devise / Rails 4 Mobile authentication failure
- Rails 4 iOS Authentication and Authorization
- http authentication in devise and rails 3
- PhoneGap Mobile Rails Authentication (devise? authentication from scratch?)
- HTTP authentication between devise and iphone app