Share auth with Rails app? (Devise authentication)

192 views
Skip to first unread message

Ernest Surudo

unread,
Jun 14, 2013, 3:58:04 PM6/14/13
to golia...@googlegroups.com
Goliath looks interesting, and I'm looking to use it for a small part of a mobile API that will be hit often (so it needs to be fast).

Once a user creates a session via the API (username/password), he is handed back a token, and uses that for subsequent requests in the Rails API.

I'm using Devise for authentication on the Rails side, so the auth token is stored in the DB. I'm looking to avoid the DB altogether for this part of the API (store the data in Redis instead, probably), which complicates things a bit. I'm open to other options, though.

I know this is vague, but does anyone have any experience with sharing this auth scheme with Goliath? Pointing me in the right direction, perhaps?

Ilya Grigorik

unread,
Jun 14, 2013, 4:52:36 PM6/14/13
to golia...@googlegroups.com
You obviously need to run the API server on the same origin to get the cookie. Once you have the cookie.. you'll have to reverse-engineer and validate it. 

ig


--
You received this message because you are subscribed to the Google Groups "Goliath.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to goliath-io+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Ernest Surudo

unread,
Jun 16, 2013, 9:50:53 AM6/16/13
to golia...@googlegroups.com
I'm not using cookies, but instead store the auth token in the request headers. So I'll need a way to validate the token.

I'm considering adding some observers around devise, so that during log in, I write the token out to a shared Redis DB that I can then validate with on the Goliath side. Seems a bit hacky, though, so I was wondering if there are some existing best practices to follow.


Ernest

You received this message because you are subscribed to a topic in the Google Groups "Goliath.io" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/goliath-io/b_6Yq7GZnI0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to goliath-io+...@googlegroups.com.

Ilya Grigorik

unread,
Jun 16, 2013, 4:25:32 PM6/16/13
to golia...@googlegroups.com
You use a custom HTTP header to manually communicate your auth-token? Why?
That's what cookies are for..

Re, shared token: that doesn't sound "hacky" .. if that's what you need to
validate the token.

ig

Ernest Surudo

unread,
Jun 17, 2013, 5:24:07 AM6/17/13
to golia...@googlegroups.com
It's an API for a mobile app, and I felt passing the auth token along in the header was cleaner. It's not a custom HTTP header, btw; IIRC it's pretty standard to pass the token in an "Authorization" header like so: "Authorization: Token token="TOKENVALUE".

E
Reply all
Reply to author
Forward
0 new messages