1

I am building a Ruby on Rails (Rails - v4.2.3 & Ruby 2.2.2) App which consumes an existing REST API. The aforementioned API is written in PHP. I need help regarding how to manage the authentication?

On searching through various forums I came across these two gems

  1. https://github.com/lynndylanhurley/devise_token_auth
  2. https://github.com/gonzalo-bulnes/simple_token_authentication

The problem I am facing with both is that they require my app to have a users model configured (using Devise).

However My app is primarily a front end for the Existing REST API, so if I do configure my own User model, I will end up with two Data Stores (One for the APP I make and the other for the existing API).

I wish to consume the external API and not have any native models for my APP.

I believe I can use ActiveResource for this (I need more reputation points to post a link to the gem, sorry I cannot do that right now, I am new to StackOverflow):

However I am not sure how to go about managing the security of the application. More specifically what measures can I take to prevent the authentication information from being viewed in plaintext while it is being transmitted to my API server for authentication?

Thank You.

Akshay Pardhanani
  • 122
  • 9
  • Are you sure Rails is really the right tool? You might want to use a SPA like ember or angular instead. If you are creating an app which only consumes an API doing rendering in the client could give a much better experience. – max Mar 14 '16 at 10:09
  • @max Well you do have a point there, however it is only at this point that I need to use an external API. Extensions to the application may be such that we may have to build parts that do require Rails models, etc. We are still carrying out a feasibility study sine the existing content is inherited from other entities. Thank you for your response though. It gives me better insight regarding the technical feasibility analysis that I must carry out :-) – Akshay Pardhanani Mar 14 '16 at 10:26

1 Answers1

0

Use HTTPS on your API. If your external API is using HTTPS then user info wouldn't be sent in plaintext from your rails app.

Don't forget to use HTTPS for your rails app too, as that is more important.

Kevin Y
  • 133
  • 8