Devise token_authenticatable deprecated, what is the alternative?

Question

I have been using token_authenticatable before to secure my API, however, I have found that it was deprecated? What should I use instead and why did they deprec

Answer 1

This looks like a very old question, nevertheless I'll put an awesome gem for the record here.

You can secure your API with the Doorkeeper Gem, an awesome oauth provider for Rails apps.

Answer 2

I wanted to keep backwards compatibility so I just moved everything into a concern to avoid the warning. Here's my code and associated specs:

/app/models/concerns/token_authenticatable.rb

module TokenAuthenticatable
  extend ActiveSupport::Concern

  module ClassMethods
    def find_by_authentication_token(authentication_token = nil)
      if authentication_token
        where(authentication_token: authentication_token).first
      end
    end
  end

  def ensure_authentication_token
    if authentication_token.blank?
      self.authentication_token = generate_authentication_token
    end
  end

  def reset_authentication_token!
    self.authentication_token = generate_authentication_token
    save
  end

  private

  def generate_authentication_token
    loop do
      token = Devise.friendly_token
      break token unless self.class.unscoped.where(authentication_token: token).first
    end
  end
end

/app/models/user.rb

class User < ActiveRecord::Base
    include TokenAuthenticatable
end

/app/models/employee.rb

class Employee < ActiveRecord::Base
    include TokenAuthenticatable
end

/spec/models/user_spec.rb

describe User do
    it_behaves_like 'token_authenticatable'
end

/spec/models/employee_spec.rb

describe Employee do
    it_behaves_like 'token_authenticatable'
end

spec/shared_examples/token_authenticatable.rb

shared_examples 'token_authenticatable' do
  describe '.find_by_authentication_token' do
    context 'valid token' do
      it 'finds correct user' do
        class_symbol = described_class.name.underscore
        item = create(class_symbol, :authentication_token)
        create(class_symbol, :authentication_token)

        item_found = described_class.find_by_authentication_token(
          item.authentication_token
        )

        expect(item_found).to eq item
      end
    end

    context 'nil token' do
      it 'returns nil' do
        class_symbol = described_class.name.underscore
        create(class_symbol)

        item_found = described_class.find_by_authentication_token(nil)

        expect(item_found).to be_nil
      end
    end
  end

  describe '#ensure_authentication_token' do
    it 'creates auth token' do
      class_symbol = described_class.name.underscore
      item = create(class_symbol, authentication_token: '')

      item.ensure_authentication_token

      expect(item.authentication_token).not_to be_blank
    end
  end

  describe '#reset_authentication_token!' do
    it 'resets auth token' do
    end
  end
end

Answer 3

From their blog :

"we cannot digest the authentication token provided by TokenAuthenticatable, as they are often part of APIs where the token is used many times. Since the usage of the authenticatable token can vary considerably in between applications, each requiring different safety guarantees, we have decided to remove TokenAuthenticatable from Devise, allowing users to pick the best option."

It's now up to the developers to choose the best fit depending on their usage of the authentication token.

Checkout this gist.

Answer 4

I've been using the devise_token_auth gem which is one of the alternatives listed in the Devise wiki page for token authentication.

I don't know if it's now the de-facto standard for Devise token auth or not but it's definitely my go-to.

Answer 5

I have answered this question previously and provided an alternative with example code covering how to do OAuth 2.0 API/Token authentication with Rails and Warden.

Devise is pretty much irrelevant for API's and I always felt uncomfortable trying to wrestle with Devise to make it work the way I needed so I ditched it, but the Warden middleware on which Devise is based is still useful for supporting multiple authentication strategies and is what my example uses.