Using auth_token from request headers instead from POST/PUT parameters with Rails 3 / devise

I need to use token based authentication in a Rails 3.1 API in conjunction with the most recent version of devise. No problem so far.

Now I do not want to append my :auth_token to the POST/PUT parameters on client side but send this token as a request header like HTTP_X_MYAPP_AUTH_TOKEN".

Can I convince devise from using that rather than a token from parameters? Is 开发者_如何学运维it possible to implement both, so that my API users can send the token via request header OR POST/PUT parameter?

Regards. Felix

I had the same need and came up with this solution:

class YourController < ApplicationController
  prepend_before_filter :get_api_key
  before_filter :authenticate_user!

  private
  def get_api_key
    if api_key = params[:api_key].blank? && request.headers["X-API-KEY"]
      params[:api_key] = api_key
    end
  end
end

Note I have my devise Devise.token_authentication_key set to api_key.

config.token_authentication_key = :api_key

I'm using a custom "strategy" for this: https://gist.github.com/4492569

It is possible in Devise to pass a standard authentication token through query string or the header for HTTP Basic Authentication, see here. The Ruby code from the specs to pass token in the HTTP_Authorization header is

header = "Basic #{Base64.encode64("#{VALID_AUTHENTICATION_TOKEN}:X")}"
get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => header

Testing from the command line with curl would go like this:

echo  "HUGP59gXsd7773a75Dvc:X" | base64
=> SFVHUDU5Z1hzZDc3NzNhNzVEdmM6WAo=
curl --header "Authorization: Basic SFVHUDU5Z1hzZDc3NzNhNzVEdmM6WAo=" \ 
     http://localhost/users.xml

Using devise and devise-token_authenticatable, I had to set this in my config/initializers/devise.rb in order to pass the token via http headers:

config.http_authenticatable = true