5

I'm trying to determine if there is a specific method of authentication one should use besides the traditional basic HTTP auth that is offered with the Sorcery gem given the fact I would want to authenticate users on a variety of mobile platforms (Android, iOS, WP7 etc.)?

Thanks in advance.

EDIT What I have decided to do for the time being is as follows:

  1. Login user with Sorcery's :http_basic_auth to the web service
  2. If the login was successful generate a time based token and an expiration time for the token
  3. Pass the token back to the client
  4. Client (Android, iOS, WP7 etc.) passes the token to the service with each request.
  5. Web service then uses the auto_login Sorcery method to authenticate the user and then passes the resource back to the client

Also for extra security and due to the fact it's an ecommerce site it will be running over SSL. I will eventually plan to implement some kind of OTP/OAuth method but will do that after testing. I hope this helps anyone else looking for simple Rails mobile authentication. Thanks for the help.

joshcollie
  • 471
  • 1
  • 4
  • 9
  • You just mean you want to create an API for your native mobile applications, right? Because when your mobile users uses their mobile browser the authentication is the same as on desktop. – Nicolas Blanco Mar 23 '12 at 17:27
  • Yes, sorry I should have made that a little clearer. I was under the impression that gems such as Devise made this a little simpler in some ways but as I'm not using it I haven't particularly looked into how it works with that. I'm wanting to have the native application make authenticated JSON calls to the web service and return the JSON. – joshcollie Mar 23 '12 at 17:39

1 Answers1

3

Even if you don't use one of the sorcery's modules, know that you can always implement your own auth strategy and log your user with the auto_login(user) method. So you're free to implement token-based auth which I think would be the basic way for an API to communicate with your application.

Nicolas Blanco
  • 11,164
  • 7
  • 38
  • 49
  • Would it be possible to initially use the basic HTTP auth with Sorcery over SSL, retrieve the session cookie and send that key back on subsequent requests to the site? Or does Sorcery not work like that? – joshcollie Mar 25 '12 at 19:51