search

thoughtbot / ios-on-rails

A guide to building a Rails API and iOS app
Other
76 stars 6 forks source link

User Login #98

Closed ACPK closed 9 years ago

ACPK commented 9 years ago

How would a user login / sign up to grab the token?

jessieay commented 9 years ago

Hi @apck! What token are you referring to?

We do have an API token that the iOS client sends the Rails API to verify that it is a trusted source (so random people can't ping our API and create tons of events, for example). Right now, users do not have individual auth tokens, just device tokens.

Does that make sense? Just let me know!

ACPK commented 9 years ago

@jessieay Thank you very much for the quick reply and your help as that does make sense. :) Our users will be logging in via multiple devices (i.e. iPad and iPhone). Would you be providing on any info on this?

Also, we're using https://github.com/lynndylanhurley/devise_token_auth, and it recommends that tokens change for security reasons.

jessieay commented 9 years ago

@ACPK

Our users will be logging in via multiple devices (i.e. iPad and iPhone). Would you be providing on any info on this?

not at the moment, although it is certainly on our radar as something to write about next. Any token authentication system should work with multiple platforms.

we're using https://github.com/lynndylanhurley/devise_token_auth, and it recommends that tokens change for security reasons.

yes, that makes sense.

Conceptually, you can think of authentication tokens like remember tokens. When you have a web app that uses something like Devise, once a user enters in a correct username and password, that user's remember token is stored as a cookie so that the app knows which user is logged in from page to page.

Devise provides convenience methods like current_user that you use in Rails controllers to determine which data to show. This method is finding that user with the remember token, which is stored as a cookie and associated with a user in your database.

When users are logging in via an iOS app, we cannot rely on cookies because those platforms do not have cookies. Instead, they pass around a token in the headers. So you will send the token in POST requests and expect a token in GET requests in your Rails API and find the user based on that value.

Does that make sense? I started working through this for the book a little while back before we decided to wait on it for V2. But, I am kind of thinking through it in real time as well...

jessieay commented 9 years ago

This issue is stale so closing. @ACPK feel free to comment back and I will reopen if you want to continue the discussion!