1

I have a rails application, and I authenticate users to the application using Devise.

The question is that I'm building an Android application and I want to understand how is the flow of authenticating users on the android "the easy way". I read about Basic and Digest Auth.

or the api I use Grape https://github.com/intridea/grape which has Basic and Digest middleware for authentication.

Am just wondering should I have store email/password of user on the android app?

and each request to the api should attach the email/password of the user?

Also, whats my benefits of the auth headers in the authenticated response?

dB.
  • 4,700
  • 2
  • 46
  • 51
amrnt
  • 1,331
  • 13
  • 30

1 Answers1

7

I would highly recommend NOT storing the password anywhere, and storing the username is also most likely unnecessary. Instead, look into the token_authenticatable feature in Devise shown in this blog example. What I would recommend doing is when the Android app user enters his/her username & password combo, you call a custom token authentication sign_in controller with what the user entered and return the token to the app. Then you can store the token in your app without worrying that the username/password may be compromised.

This gives you the flexibility for how frequently you want to regenerate the token, or to invalidate a token arbitrarily.

Chris Hart
  • 2,153
  • 1
  • 23
  • 45
  • Hahahah! Love your answer! I've already implement this way, but when I was reading about authentication for mobile all i see is Basic and Digest stuff. Here we go! – amrnt Dec 28 '11 at 20:20