Reputation: 3425
what is current_user when using session-less devise?
I have disabled sessions in my rails api with for example config.skip_session_storage = [:http_auth, :token_auth]
Does it make sense to "logout" of the api? If it does how can I get current_user because the code below throws current_user =nil error or the warden.authenticate fails.
# class Api::V1::SessionsController < Devise::SessionsController
def create
# create token
end
def destroy
# We don't need this because the user is authenticated by the token.
warden.authenticate!(:scope => resource_name, :store => false, :recall => "#{controller_path}#failure")
current_user.reset_authentication_token!
render :status => 200,
:json => { :success => true,
:info => t("devise.sessions.signed_out"),
:data => {} }
end
Upvotes: 1
Views: 467
Answers (1)
Reputation: 11509
An API has no state because it's not relying on the browser to cache anything. Typically if you want to secure an API, you give each user some kind of access token (via the rendered html or in the javascript directly (see the gon gem)) and then operate the API over SSL, requiring each call to have that access token.
For example, you could call https://mysite.com/api/v1/users?token=...
And then get the current_user based on that token.
Alternatively, you can include the token in your header whenever you do an API call. Either way, you will want to secure it with SSL so that nobody routing the request (e.g. a fake Starbuck's wifi) can sniff the request, grab the token, and use it themselves.
Upvotes: 1
Related Questions
- Current_user method using devise
- How do I set 'current_user' even though a user is not logged in? - Rails 3
- devise rails current_user vs user_signed_in?
- How current_user works in devise rails
- How to define current_user in Devise?
- Devise with Rails API - current_user
- Devise not current_user method?
- Devise's current_user doesn't work?
- How to use "current_user" with devise in Rails?
- Rails devise: user_signed_in? and current_account