Tiddle provides Devise strategy for token authentication in API-only Ruby on Rails applications. Its main feature is support for multiple tokens per user.
Tiddle is lightweight and non-configurable. It does what it has to do and leaves some manual implementation to you.
Add this line to your application's Gemfile:
gem 'tiddle'
And then execute:
$ bundle
:token_authenticatable inside your Devise-enabled model:class User < ActiveRecord::Base
devise :database_authenticatable, :registerable,
:recoverable, :trackable, :validatable,
:token_authenticatable
end
authentication_tokens.rails g model AuthenticationToken body:string:index user:references last_used_at:datetime expires_in:integer ip_address:string user_agent:string
class User < ActiveRecord::Base
has_many :authentication_tokens
end
body, last_used_at, ip_address and user_agent fields are required.
Devise::SessionsController. You need to create and return token in #create and expire the token in #destroy.class Users::SessionsController < Devise::SessionsController
def create
user = warden.authenticate!(auth_options)
token = Tiddle.create_and_return_token(user, request)
render json: { authentication_token: token }
end
def destroy
Tiddle.expire_token(current_user, request) if current_user
render json: {}
end
private
# this is invoked before destroy and we have to override it
def verify_signed_out_user
end
end
class PostsController < ApplicationController
before_action :authenticate_user!
def index
render json: Post.all
end
end
X-USER-EMAIL and X-USER-TOKEN as headers of every request which requires authentication.You can read more in a blog post dedicated to Tiddle - https://blog.sundaycoding.com/blog/2015/04/04/token-authentication-with-tiddle/
The safest solution in API-only application is not to rely on Rails session at all and disable it. Put this line in your application.rb:
config.middleware.delete ActionDispatch::Session::CookieStore
More: https://blog.sundaycoding.com/blog/2015/04/04/token-authentication-with-tiddle/#rails-session
Change config.authentication_keys in Devise intitializer and Tiddle will use this value.
Usually it makes sense to remove user's tokens after a password change. Depending on the project and on your taste, this can be done using various methods like running user.authentication_tokens.destroy_all after the password change or with an after_save callback in your model which runs authentication_tokens.destroy_all if encrypted_password_changed?.
In case of a security breach, remove all existing tokens.
Tokens are expiring after certain period of inactivity. This behavior is optional. If you want your token to expire, create it passing expires_in option:
token = Tiddle.create_and_return_token(user, request, expires_in: 1.month)
FAQs
Unknown package
We found that tiddle demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A new site reviews software projects to reveal if they’re truly FOSS, making complex licensing and distribution models easy to understand.
Security News
Astral unveils pyx, a Python-native package registry in beta, designed to speed installs, enhance security, and integrate deeply with uv.
Security News
The Latio podcast explores how static and runtime reachability help teams prioritize exploitable vulnerabilities and streamline AppSec workflows.