2

I have a working devise user with connected omniauth identity and everything works fine. The problem is that I want to disable sessions and use stateless token authentication. I tried simple_token_authentication and devise_token_auth and experienced a lot of problems with both. Simple token auth was easy to add and I set config.skip_session_storage = [:token_auth], but I still had session in my requests and no tokens.

With devise_token_auth everything got messy and I wasn't able to get it to work. I had problems with duplicated routes. Disabling devise_for helped, but this way I disabled everything I have done so far and even then it would not work.

I don't know how to approach this problem, whether to use one of these gems or disable sessions and write some tokens handling manually (but using a gem seems safer to me). I don't want to set everything up from the beginning, but maybe it is the only way.

I know that my questions seems a bit imprecise, but I am really confused now. I will post some code parts or error messages if you need something specific.

FunkyFrankie
  • 29
  • 4
  • I think rolling your own tokenizer may be the best since it sounds like rigging these gems to meet your needs is taking up a lot of your time. What is leading you to drop sessions? – bkunzi01 May 26 '16 at 19:11
  • You might want to try [Knock](https://github.com/nsarno/knock), its a minimal JWT token authentication system. Tried it after devise_token_auth and quite a few other token auth solutions and was positively suprised. – max May 26 '16 at 22:23
  • It all depends on your requirements though. Are you building an API only app? Do you need OAuth or just email/password? For an API application Devise is totally over-bloated imho. The same with OmniAuth Identity unless you are doing OAuth as well. – max May 26 '16 at 22:32
  • I want API and normal website in one place. I use omniauth to sign in with facebook and google. I don't have to drop sessions I just thought it might be a good idea to authenticate both API and Web app the same way, as they will share most of the code and I don't really need sessions. – FunkyFrankie May 26 '16 at 23:55
  • Maybe I should use most of devise actions and only replace login , logout and authentication with some token providing gem (or overwrite it with my own tokenizer)? What do you think? – FunkyFrankie May 27 '16 at 17:34
  • I will leave sessions for browser and use tokens for API for mobile app. I used simple_token_authentication. Does it mean I have to create a different sign in action for API or if I request the same action but with format json it will give me token instead of setting a session cookie? What about logout? Is it enough to delete token stored in the mobile client without any additional request? Or should I inform the API that I am getting rid of the token? – FunkyFrankie May 28 '16 at 16:03
  • Same here. I tried devise_token_auth and found it's session-based. So disappointed. – Weibo Chen Jun 09 '17 at 13:53

0 Answers0