39

I'm starting using Devise in my Rails app, but the Token Authenticatable: signs in a user based on an authentication token (also known as "single access token") module puzzles me.

Is the user authenticated only for his current session? If he uses now the URL containing the token, can he re-use it at a later tine and still have access, or does he get a single access?

Can multiple users be authenticated at the same time, using the same token?

I have searched extensively for a working example; please forgive me if this is explained elsewhere. Any pointers would be more than welcomed. Thanks for your help.

Marius Butuc
  • 17,781
  • 22
  • 77
  • 111

1 Answers1

25

The short answer is: it's up to you.

This module only provides a few helpers to help you manage the token, but it is up to you to choose how to use it. For example, if you want to have a new token every time the user saves his account, you can do the following:

before_save :reset_authentication_token

On the other hand, if you want to generate token unless one exists, you should use instead:

before_save :ensure_authentication_token

If you want to delete the token after it is used, you can do so in the after_token_authentication callback.

See the documentation for this model at http://rdoc.info/github/plataformatec/devise/master/Devise/Models/TokenAuthenticatable.

Michelle Tilley
  • 157,729
  • 40
  • 374
  • 311
  • I also use devise and tokens and it works great for almost every action in my API but if the user needs to change data in the user object for example name or email he needs to login. In all other parts it works with just the token. How can I fix this? – Jonathan Clark May 23 '11 at 11:22
  • 2
    @Jonathan - is that happening because you're reseting the authentication token any time the user is saved, thereby invalidating your currently stored token? – Matt Huggins Jul 21 '11 at 22:07