Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Devise and API only configuration #4997

Closed
mits87 opened this issue Dec 31, 2018 · 5 comments
Closed

Devise and API only configuration #4997

mits87 opened this issue Dec 31, 2018 · 5 comments

Comments

@mits87
Copy link

mits87 commented Dec 31, 2018

Hello,

First of all thank you for really good job!
I use devise plugin always when I need auth layer in my application.
But my last few projects I used rails api only and always I have the same problems with devise configuration in "nice" way.

  1. The first thing is routing.
    Maybe should be some option in devise config like config.api_only = true which will create automatically correct routes (without view routes).

Now, I must doing something like this:

  devise_for :users, skip: :all

  devise_scope :user do
    scope :auth, defaults: { format: :json } do
      post   '/signin',       to: 'sessions#create'
      delete '/signout',      to: 'sessions#destroy'
      post   '/signup',       to: 'registrations#create'
      put    '/account',      to: 'registrations#update'
      delete '/account',      to: 'registrations#destroy'
      put    '/password',     to: 'devise/passwords#update'
      post   '/password',     to: 'devise/passwords#create'
      get    '/confirmation', to: 'devise/confirmations#show'
      post   '/unlock',       to: 'devise/unlocks#create'
      get    '/unlock',       to: 'devise/unlocks#show'
    end
  end
  1. Default responders:

Currently, I must change my ApplicationController.rb like this:

class ApplicationController < ActionController::API
  include ActionController::MimeResponds

  respond_to :json
end

I think it should be also in gem.
And of course api_only = true should also disable all flash messages, redirections etc.

  1. Last thing - JWT authentication.

Most of API applications use JWT authentication. I think will be really good if Devise provide some "right" solution to generate and invalidate JWT token. Maybe something like Warden JWT Auth?

Again thank you and I wish you all the best.

@tegon
Copy link
Member

tegon commented Jan 2, 2019

Hello @mits87, thanks for the issue.

Unfortunately, Devise does not support API only applications out of the box. There are no plans of doing so in any time soon - the effort would be too big and we can't afford it right now.

I think there are some other gems that you can include it together with devise that would help you with the things in mentioned. I don't know all of them but I do know a https://github.com/waiting-for-dev/devise-jwt, for example.

@juni0r
Copy link

juni0r commented Mar 2, 2020

Just wanted to share my experience with using JWT for sessions since it was mentioned here. JWT most probably isn't what you want to use. I found this oft cited article to be great advice. As always YMMV but I strongly suggest you read it.

@toomanyjoes
Copy link

@mits87 I'm curious if you're still using devise for this or if you found a better alternative? I assume what you're doing is setting up a kind of authentication api service and using devise as the backend?

@Sticksword
Copy link

I am also curious

@juni0r
Copy link

juni0r commented Apr 24, 2021

I ended up using devise_token_auth which uses an access token that is refreshed with every request. There are some client-side auth libraries that work with it right out of the box.

I wrote a custom one which is as trivial as adding a global request interceptor to Axios for injecting the auth token into every request and reading the refreshed token from the response headers. It works very well and reliably and allows you to continue using Devise while not abusing JWT for sessions.

Sorry @toomanyjoes, I'm afraid I didn't catch your earlier message 😕

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

5 participants