Tiddle provides Devise strategy for token authentication in API-only Ruby on Rails applications. Its main feature is support for multiple tokens per user.
Tiddle is lightweight and non-configurable. It does what it has to do and leaves some manual implementation to you.
Add this line to your application's Gemfile:
gem 'tiddle'
And then execute:
$ bundle
:token_authenticatable inside your Devise-enabled model:class User < ActiveRecord::Base
devise :database_authenticatable, :registerable,
:recoverable, :trackable, :validatable,
:token_authenticatable
end
authentication_tokens.rails g model AuthenticationToken body:string:index user:references last_used_at:datetime expires_in:integer ip_address:string user_agent:string
class User < ActiveRecord::Base
has_many :authentication_tokens
end
body, last_used_at, ip_address and user_agent fields are required.
Devise::SessionsController. You need to create and return token in #create and expire the token in #destroy.class Users::SessionsController < Devise::SessionsController
def create
user = warden.authenticate!(auth_options)
token = Tiddle.create_and_return_token(user, request)
render json: { authentication_token: token }
end
def destroy
Tiddle.expire_token(current_user, request) if current_user
render json: {}
end
private
# this is invoked before destroy and we have to override it
def verify_signed_out_user
end
end
class PostsController < ApplicationController
before_action :authenticate_user!
def index
render json: Post.all
end
end
X-USER-EMAIL and X-USER-TOKEN as headers of every request which requires authentication.You can read more in a blog post dedicated to Tiddle - https://blog.sundaycoding.com/blog/2015/04/04/token-authentication-with-tiddle/
The safest solution in API-only application is not to rely on Rails session at all and disable it. Put this line in your application.rb:
config.middleware.delete ActionDispatch::Session::CookieStore
More: https://blog.sundaycoding.com/blog/2015/04/04/token-authentication-with-tiddle/#rails-session
Change config.authentication_keys in Devise intitializer and Tiddle will use this value.
Usually it makes sense to remove user's tokens after a password change. Depending on the project and on your taste, this can be done using various methods like running user.authentication_tokens.destroy_all after the password change or with an after_save callback in your model which runs authentication_tokens.destroy_all if encrypted_password_changed?.
In case of a security breach, remove all existing tokens.
Tokens are expiring after certain period of inactivity. This behavior is optional. If you want your token to expire, create it passing expires_in option:
token = Tiddle.create_and_return_token(user, request, expires_in: 1.month)
FAQs
Unknown package
We found that tiddle demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
OpenSSF has published OSPS Baseline, an initiative designed to establish a minimum set of security-related best practices for open source software projects.
Security News
Michigan TypeScript founder Dimitri Mitropoulos implements WebAssembly runtime in TypeScript types, enabling Doom to run after processing 177 terabytes of type definitions.
Security News
vlt's new "reproduce" tool verifies npm packages against their source code, outperforming traditional provenance adoption in the JavaScript ecosystem.