authenticate_or_request_with_http_token returning html instead of json

Question

I've created a rails-api application and proceeded to secure it using token authentication.

I've set a before_filter that is calling a method which uses authenticate_or_request_with_http_token. Everything is working fine but, when the authentication is incorrect i'm getting an html response.

How can I define what format the response should be?

before_filter :restrict_access

private

def restrict_access
  authenticate_or_request_with_http_token do |token, options|
    check_token token
  end
end

def check_token(token)
  Session.exists?(access_token: token)
end

Answer 1

By including ActionController::HttpAuthentication::Token::ControllerMethods you include several methods, amongst others request_http_token_authentication which is simply a wrapper around Token.authentication_request. That #authentication_request-method is the culprit and sends the plain text (not HTML as your question suggests) as follows:

def authentication_request(controller, realm)
  controller.headers["WWW-Authenticate"] = %(Token realm="#{realm.gsub(/"/, "")}")
  controller.__send__ :render, :text => "HTTP Token: Access denied.\n", :status => :unauthorized
end

The trick is to override request_http_token_authentication in your ApplicationController to not call Token.authentication_request but to set the correct status and headers and then render JSON instead. Add this to your ApplicationController:

protected
def request_http_token_authentication(realm = "Application")
  self.headers["WWW-Authenticate"] = %(Token realm="#{realm.gsub(/"/, "")}")
  render :json => {:error => "HTTP Token: Access denied."}, :status => :unauthorized
end

Answer 2

From Rails 5, the authenticate_or_request_with_http_token method allows a second parameter with a custom message, so you could just do:

  authenticate_or_request_with_http_token('realm', json_error) do |token, options|
    check_token token
  end