http authentication in devise and rails 3

Question

I have an application which uses devise on rails 3. I would like to enable http authentication so that I can authenticate to my web app from an iPhone app. How can I authenticat

Answer 1

This largely depends on how you are implementing things on the server side, but we implemented this using Matteo's 3rd option. I have a rails 3.1 implementation using devise. The route to the login is /users/login.json . First build up the JSON body for login with code like this:

NSMutableDictionary *loginDictionary = [NSMutableDictionary dictionary];
NSMutableDictionary *usernamePasswordDictionary = [NSMutableDictionary dictionary];
[usernamePasswordDictionary setObject:username forKey:@"email"];
[usernamePasswordDictionary setObject:password forKey:@"password"];
[loginDictionary setObject:usernamePasswordDictionary forKey:@"user"];

NSData *data = [NSJSONSerialization dataWithJSONObject:loginDictionary options:0 error:&error];

which yields this JSON:

{"user":{"password":"blahblahblah","email":"admin@*****.com"}}

I send a POST url request with code like this:

NSString *postUrlString = [NSString stringWithFormat:@"%@users/login.json", kServerAPIBaseURL];
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:postUrlString] cachePolicy:NSURLRequestReloadIgnoringCacheData timeoutInterval:kTimeoutInterval];
[request setHTTPMethod:@"POST"];
[request setValue:@"application/json" forHTTPHeaderField:@"Content-type"];
[request setHTTPBody:data];

The response I get back contains JSON. We configured the server side to return the a session_auth_token:

{
    admin = 1;
    "created_at" = "2012-01-25T00:15:58Z";
    "current_sign_in_at" = "2012-04-04T04:29:15Z";
    "current_sign_in_ip" = "75.163.148.101";
    email = "admin@******.com";
    "encrypted_password" = "*****";
    "failed_attempts" = 0;
    id = 1;
    "last_sign_in_at" = "2012-04-03T03:37:18Z";
    "last_sign_in_ip" = "75.163.148.101";
    "locked_at" = "";
    name = "Joe Smith";
    "remember_created_at" = "2012-03-29T20:35:43Z";
    "reset_password_sent_at" = "";
    "reset_password_token" = "";
    "session_auth_token" = "3FRgX6CYlzQJGC8tRWwqEjFaMMFKarQAYKTy3u84M0U=";
    "sign_in_count" = 145;
    status = 1;
    "unlock_token" = "";
    "updated_at" = "2012-04-04T04:29:15Z";
}

We store that session_auth_token and then send it back with every request in a header, something like this:

NSMutableURLRequest *postRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[self postUrlString]]...
[postRequest setHTTPMethod:@"POST"];
[postRequest setValue:@"application/json" forHTTPHeaderField:@"Content-type"];
[postRequest setValue:[self sessionAuth] forHTTPHeaderField:@"X-CSRF-Token"];
[postRequest setHTTPBody:data];

That parameter [self sessionAuth] contains the session_auth_token.

Let me know if you need clarification.