Post on 15-May-2015
Authentication in iOS and Rails using Devise
What is Authentication?Login using username / email + password from iOS
[optional] Account creation from iOS
Talks to the backend (Rails with Devise)
Should do validations, prevent dup accounts, etc.
Omfg there is no out-of-the-box solution
Some googling suggests HTTP Basic Auth. DON’T DO THIS!!
Use an authentication token solution
Authentication Token
iOS Rails
Send email and password using
HTTPS
Respond with auth token
Send auth token for other
requests HTTP(s)
Why Auth Token?Minimizes risk of password being compromised since it’s never persisted on iOS
You can revoke the auth token at any time from your backend
General TipsUse SSL at a minimum for the initial authentication part
Auth token in the query string http://yoursite/private_cat_photos?auth_token=asdf
Or store in a HTTP cookie (optionally with the “secure” flag set)
iOS TipsDon’t store the password on the device!!
Store auth token (and email if you care) in NSUserDefaults or use the iOS Keychain Services
AFNetworking is nice wrapper on built-in technologiesSelf signed certs are annoying, a few ways to handle this, either use a compile flag, or you may need to subclass AFHTTPClient
G*d*mit Devise doesn’t play nice with APIs
If you try to use the devise built-in controllers, you’ll notice it will try to HTTP redirect your API calls (WTF)
You’ll need to do some massaging…
Standard Devise Massaging1/2
Migrations:
User model:
Standard Devise Massaging 2/2
devise.rb:
application.rb:
routes.rb:
Other Devise MassagingOn your controllers needing authentication:
Don’t do this!:
Non-Trivial Devise Massaging
User registration is more annoying, you’ll probably want to do a custom solution like copy and paste Devise functionality as needed
SSL Pinning
Done