Strategy for signing in a user, based on a authenticatable token. This works for both params and http. For the former, all you need to do is to pass the params in the URL:
http://myapp.example.com/?user_token=SECRET
For headers, you can use basic authentication passing the token as username and blank password. Since some clients may require a password, you can pass “X” as password and it will simply be ignored.
You may also pass the token using the Token authentication mechanism provided by Rails: api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html The token options are stored in request.env
# File lib/devise/strategies/token_authenticatable.rb, line 26 def authenticate! resource = mapping.to.find_for_token_authentication(authentication_hash) return fail(:invalid_token) unless resource if validate(resource) resource.after_token_authentication success!(resource) end end
# File lib/devise/strategies/token_authenticatable.rb, line 18 def store? super && !mapping.to.skip_session_storage.include?(:token_auth) end
# File lib/devise/strategies/token_authenticatable.rb, line 22 def valid? super || valid_for_token_auth? end
Extract the auth token from the request
# File lib/devise/strategies/token_authenticatable.rb, line 64 def auth_token @auth_token ||= ActionController::HttpAuthentication::Token.token_and_options(request) end
Overwrite authentication keys to use token_authentication_key.
# File lib/devise/strategies/token_authenticatable.rb, line 84 def authentication_keys @authentication_keys ||= [mapping.to.token_authentication_key] end
Try both scoped and non scoped keys
# File lib/devise/strategies/token_authenticatable.rb, line 75 def params_auth_hash if params[scope].kind_of?(Hash) && params[scope].has_key?(authentication_keys.first) params[scope] else params end end
Do not use remember_me behavior with token.
# File lib/devise/strategies/token_authenticatable.rb, line 44 def remember_me? false end
Extract a hash with attributes:values from the #auth_token
# File lib/devise/strategies/token_authenticatable.rb, line 69 def token_auth_hash request.env['devise.token_options'] = auth_token.last { authentication_keys.first => auth_token.first } end
Check if the model accepts this strategy as token authenticatable.
# File lib/devise/strategies/token_authenticatable.rb, line 49 def token_authenticatable? mapping.to.http_authenticatable?(:token_options) end
Check if this is strategy is valid for token authentication by:
* Validating if the model allows http token authentication; * If the http auth token exists; * If all authentication keys are present;
# File lib/devise/strategies/token_authenticatable.rb, line 59 def valid_for_token_auth? token_authenticatable? && auth_token.present? && with_authentication_hash(:token_auth, token_auth_hash) end
Token Authenticatable can be authenticated with params in any controller and any verb.
# File lib/devise/strategies/token_authenticatable.rb, line 39 def valid_params_request? true end