Update User Devise via API Securely

Asked

Viewed 316 times

0

In an app I need to edit the registration data of a user such as name, email, phone and password (for the optional password, I found this solution).

However this change is made via API. Since it involves data change I need to know how to make this change safely. If it were only on the web I would use current_user which would guarantee me that only the logged-in user would change their own data. But in this case I don’t know how it works.

1 answer

1


I recommend you take an approach with a TOKEN for user authentication via API (note that it is not related to the old Tokenauthenticable of Devise).

Your User model will have one TOKEN which will be a random code. Every API request you pass this TOKEN to ensure that it is the real user.

Rails already has a method to verify this type of authentication: authenticate_with_http_token

If you want to increase security you can also provide a APP_SECRET which will be used to encode your token, through an algorithm.

That one APP_SECRET will not be sent in communication (HTTP calls), but has to be stored both on the server and on the client.

References that can help you:

http://blog.envylabs.com/post/75521798481/token-based-authentication-in-rails http://keighl.com/post/secure-api-request-from-ios-to-rails/

Browser other questions tagged

You are not signed in. Login or sign up in order to post.