Authenticate custom strategy without creating Devise user

My setup: Rails 3.0.9, Ruby 1.9.2, Devise 1.3.4, Warden 1.0.4

I'm trying to figure out if it possible to authenticate a custom strategy and not have to create a devise user in the process upon successful authentication. In my config.warden block, the authentication works fine but if I don't create a Devise user, I won't be authenticated. My ideal scenario requires me to either successfully authenticate against a 3rd party provider and sign into my app (using Devise without a corresponding Devise user record) or 开发者_运维问答if I fail to authenticate, then try Devise standard login path.

Here is the devise.rb code snippet I got working but I have to create a devise user for the authentication to work, this is something I wish to avoid

config.warden do |manager|
    manager.strategies.add(:custom_strategy) do
      def valid?
        params[:user] && params[:user][:email] && params[:user][:password]
      end

      def authenticate!
        ...perform authentication against 3rd party provider...
        if successful_authentication
          u = User.find_or_initialize_by_email(params[:user][:email])
          if u.new_record?
            u.app = 'blah'
            u.save
          end
          success!(u)
        end
      end
    end

manager.default_strategies(:scope => :user).unshift :custom_strategy
  end

I realized the question is old but I saw it a couple of time when I was searching for a solution to similar thing so I decided to post the answer in case anyone in the future stumbles upon similar issue. Hope this will help!

I recently had to do similar thing -> had users in my database that were authenticated with some devise/warden strategies but had created another app that has to have access to some of the endpoints to my application. Basically I wanted to do a HMAC authentication. But I didn't want to involve any user objects in that process and here is what I had to do (provided that you already have you custom strategy that authenticates incoming request without using user object)

1. create a fake user model that is used so that devise wont blow op. You dont have to create any database table for that

mine looked similar to below:

class Worker # no need to create  a table for him
  extend ActiveModel::Callbacks
  extend Devise::Models

  include ActiveModel::Validations
  include Concerns::ObjectlessAuthenticatable

  define_model_callbacks :validation

  attr_accessor :id

  def persisted
    false
  end

  def initialize(id)
    @id = id
  end

  def self.serialize_from_session(id)
    self.new(id: id)
  end

  def self.serialize_into_session(record)
    [record.id]
  end

  def self.http_authenticatable
    false
  end
end

then in devise initializer (/initializers/devise.rb) I've added separate authentication strategy like below:

  ...
  config.warden do |manager|
    manager.scope_defaults :user, :strategies => [
      ...strategies i was using for users
    ]
    manager.scope_defaults :worker, :strategies => [:worker_authentication], store: false, action: 'unautenticated_worker'
    manager.failure_app = CustomFailingApp
  end
  ...

then in routes.rb I had to create a mapping for devise to use like so

devise_for :worker # you can pass some custom options here

then wherever I needed to authenticate the worker, not the user I just had to call (in the controller) authenticate_worker!

I would expect that this is against the design of devise where all actions are done using restful routes for a resource. That said, the comments in Warden's success! method say:

# Parameters:
#   user - The user object to login.  This object can be anything you have setup to serialize in and out of the session

So could you not change the object u to some other object that represents the user, like a plain old Hash?