Re: [devise] How to config devise to accept auth token via HTTP header?

[Carlos Antonio da Silva]

Devise does not support this by default (although seems a nice addition :D), but I think you could start by trying a monkey patch to see how it goes.

You'd have to change the source from where Devise finds the token to attempt an authentication:

https://github.com/plataformatec/devise/blob/master/lib/devise/strategies/token_authenticatable.rb#L17

The authenticate! method in the link above calls authentication_hash, which will make use of the params:

https://github.com/plataformatec/devise/blob/master/lib/devise/strategies/token_authenticatable.rb#L40

I think that by changing the method in this link, `params_auth_hash`, to return a hash cointaing the token => the value from the header you want, would probably do the job.

-- 

At.

Carlos Antonio

On Wednesday, June 13, 2012 at 4:36 AM, Horace Ho wrote:

Currently, devise is configured to accept token authentication via URL and curl works well:

curl 'http://localhost/index.json?auth_token=TOKENVALUE'

I'd like to pass the TOKENVALUE via HTTP header instead of URL, how can I config devise to get the TOKENVALUE from HTTP header? Such that the following curl requests will also work:

curl 'http://localhost/index.json' -H 'Authorization: Token token="TOKENVALUE"'

Devise settings in user.rb:

devise :token_authenticatable, :database_authenticatable, :registerable, 
:recoverable, :rememberable, :trackable, :validatable

[fs]

Just in case somebody wants to do this, I did the following and it worked. Just put this at the end of config/initializers/devise.rb (or any other initializer):

require 'devise/strategies/token_authenticatable'

module Devise

  module Strategies

    class TokenAuthenticatable < Authenticatable

      def params_auth_hash

        return_params = if params[scope].kind_of?(Hash) && params[scope].has_key?(authentication_keys.first)

            params[scope]

          else

            params

          end

        token = ActionController::HttpAuthentication::Token.token_and_options(request)

        return_params.merge!(:auth_token => token[0]) if token

        return_params

      end

    end

  end

end

Best regards,

Fabian

[Joe Hankin]

Thank you for this -- works like a charm!

Cheers,

--Joe

[Rob Hurring]

I had a pull request in for the a few weeks ago that was just merged into plataformatec/devise master. The only issue I ran into when upgrading to master branch instead of the gem was that the devise config changed slightly, so you will have to enable the "config.http_authenticatable = true" (or config.http_authenticatable = [:token_auth]") setting in order to have token authentication working properly. 

[Ernest Surudo]

Rob, are you saying that fs' workaround is no longer necessary to get authenticated via an auth header, and is now built into devise? Is there more info on this somewhere?

[Joshua Rountree]

Does anyone know if this is still relative to the latest versions of Devise? or has anything changed in this regard?