Token authenctication

Hi all, i’m building my first project in RoR. And i’m now looking into
authentication. A lot of the posts online recommended devise so i’m
looking
into that.
I require authentication in a html website and a json api and i’m using
ruby 1.9.3 and rails 4.1.4. Now I have seen that devise has
removed TokenAuthenticatable. Is devise still a good option for token
authentication or are there better options?

I have seen some custom implementations of token authentication with
devise. But i’m reluctant to use these, security is one of those area’s
I
try to prevent hacking together my own code. My users trust me with
their
personal information, and I think I should respect that trust by using a
mature solution, which has the best chance of keeping their data secure.

Just to be clear I’m not running a bank or handling medical data, but
still
I don’t want to implement the first snippet of code that I see and risk
leaking my users data.

Could someone offer me some advise?

Regards,

Sander

On Wednesday, 3 September 2014 14:41:30 UTC-4, Sander Obdeijn wrote:

devise. But i’m reluctant to use these, security is one of those area’s I

Some info on token_authenticatable, direct from Jose Valim:

A gemified version of it, recently extracted:

I’ve used the Gist version in a production app.

–Matt J.

I think you can implement that yourself along with Devise. Since you get
so much with devise I would do that if it were me.

last time I discussed this with business people, the need for the token
auth outweighed the security considerations. We ameliorated this by 1)
Making the token expire 7 days after you generate it, and 2) making it
automatically expire the moment it is used.

Also, if you send that sh*t over email then you’re still transmitting it
in plain-text, which is susceptible to MITM. But the limits we put in
made us confident this was an acceptable middle-ground.

Then again, if you’re storing celebrities’ naked pictures of themselves,
you might want to reconsider :wink:

-Jason

No only my own private ‘au natural’ pictures will be hosted.

I’m looking a the gem, but i can’t find how to request a token after you
have implemented it. Is there more documention about using the token
authentication?

Op donderdag 4 september 2014 17:20:05 UTC+2 schreef Jason FB:

Sander, devise( GitHub - heartcombo/devise: Flexible authentication solution for Rails with Warden. ) + doorkeeper(
GitHub - doorkeeper-gem/doorkeeper: Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. ) may work well for your
case.
Doorkeeper is based on OAuth specs which is pretty solid for token based
auth. A google search involving both the gems would give you enough
material to get started. Good luck !