Rails 3.2 + Devise 2.1 + OmniAuth + Backbone.js Authentication

5
votes

I currently use Devise 2.1 + Rails 3.2.x to authenticate users. I'm also going to be adding OmniAuth-Facebook and Twitter support soon.

I wanted to use this existing infrastructure with Backbone.js. Can you let me know if this is the correct workflow from authentication perspective?

  1. User login via Devise (or OmniAuth)
  2. Use Devise's Token Authenticatable to return a token?
  3. Backbone to access the token somehow and append that as part of API call? I don't need the API to create user, that's being handled by Devise.

Questions: 1. Is this how you'd implement it? 2. Any suggestions/code samples on #2 and #3? 3. How would you handle authorization with this? I don't think CanCan will work.

P.S. I read through many articles, including this: http://jessewolgamott.com/blog/2012/01/19/the-one-with-a-json-api-login-using-devise/. They seem to be focused on authentication using the API, rather than securing the API resources after authentication is completed.

2
ruby-on-rails-3backbone.jsdeviseomniauth

2 Answers

2
votes

I actually got this to even a little easier by:

User logs in via Devise/OmniAuth, no authentication token needs to be created If I use the same action that is Devise enabled to serve up the REST API, it'll automatically use the session info to authenticate, so no additional token capture/resend is needed.

P.S. RABL is generate for creating API's in Rails.

0
votes
  1. The workflow is correct.
  2. I found bits and pieces on the interwebs, maybe I can blog post about it later
  3. Correct. You can override Backbone.sync, or if you're using jQuery you can confiugure jQuery globally. Example here

Authorization would be handled the same on the server side, unless you want the client to know about its roles. On the server side, you'll find the current user via its token and authorize accordingly. If you do need to know what roles a user have, you can send the roles when the user authenticates.