With default configuration of devise token auth, uid is identical to user’s email and is mandatory to find current user. But my requirement is that i need to hide uid in http header when request and response due to security risk. Is this possible?
Asked
Active
Viewed 107 times
0
Rasna Shakya
- 527
- 2
- 13
-
The only time the client sends its credentials are when they are trading them for a token. In that case they are sent in the body of the post request. I don't see how placing the credentials in a header makes any kind of difference when it comes to man in the middle attacks. – max Sep 13 '18 at 12:10
-
But this is requirement. Is this possible? – Rasna Shakya Sep 14 '18 at 10:56
-
Yeah, you could use [Warden Basic Auth](https://github.com/opf/warden-basic_auth) or write your own Warden strategy. However you will need to learn a bit about how Warden works and its role in Devise. – max Sep 14 '18 at 11:38