New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allowing http token auth to set the token_authentication_key if missing from params #2271
Conversation
…ce of passing it in via params It will not override existing token_authentication_key params if they are present.
Thanks @robhurring. However, you explained how the feature is implemented, you haven't explained why you need it thought. Could please tell us why? Why the current token mechanism is not enough? |
There is really nothing in particular lacking with the current basic auth flow for authenticating, but for an API we felt using token auth was semantically better. The reasoning behind this was more for allowing the API client to pass in options with the token which the app can use. I didn't include that piece of the code in this PR since I wasn't exactly sure how to make it feel natural in devise. In our current implementation we're passing in a request signature with the token, the signature (and any other metadata) is then bubbled up to the app in |
@@ -82,7 +82,7 @@ def authentication_token | |||
generate_token(:authentication_token) | |||
end | |||
|
|||
Devise::Models.config(self, :token_authentication_key, :expire_auth_token_on_timeout) | |||
Devise::Models.config(self, :token_authentication_key, :allow_authorization_to_set_auth_token, :expire_auth_token_on_timeout) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we call this configuration option something like allow_token_authenticatable_via_headers
or something like it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like that much better -- fixed!
This approach is also fine. We could include the options in Thanks a lot! |
…low_token_authenticatable_via_headers"
Thanks a lot @robhurring! Sorry for the delay. Maybe instead of merging into the params hash, we could add a |
@josevalim no worries, its been a pretty busy month for me as well. I made those changes and mimicked the http auth flow pretty close. Give it a glance when you have a minute and let me know if theres any other changes that need to be made. |
Allowing http token auth to set the token_authentication_key if missing from params
Perfect pull request! I have merged it, sorry for the delay! |
Allows the user to configure devise to allow token auth headers to set the missing "token_authentication_key" param with a new setting in the config "allow_authorization_to_set_auth_token". When set to true it will parse out the token from the request headers and update the param for "token_authentication_key".