Menu
I have a Rails application (irrelevant, I know) and I want to authenticate an iOS app against the Rails app, and persist the authentication so future requests to the Rails API work without re-authenticating each request. Conceptually, here's what I want to do... I'm not sure if this is the best approach, though.
Alright, so in my Rails app each user has a unique token (SHA1 hash). I was thinking the first time the iPhone app is loaded, the user would see a username/password screen. They'd enter their credentials for the Rails app, and upon successful authentication, the Rails app would return their unique user token that could then be stored in the keychain? And from there on out, I was thinking I could simply append the user token to all API requests and that's how I could verify the user within the Rails app. This would also keep the username/password independent of the iPhone app (so the user could change their username/password in the Rails app, but the iPhone app wouldn't care about that since it would be using their token, which would not change).
I thought my URL requests might look something like this:
http://example.com/api/v1/[whatever].json?token=XXXXXXXXXXXXXXX
Does that sound like a reasonable approach to take? Or are their concerns I'm not aware of with this approach? I've been doing Rails work for a long time, but I'm relatively new to iOS (only have 1 app under my belt, and it didn't require any authentication).
If this is a good approach to take, is it hard to work with the keychain? I think I read that the simulator and the device itself don't support the same API's for keychain access? (or maybe the simulator doesn't support mock keychain access)
Thanks in advance. I tried searching through older posts, but none seem to answer my specific situation.
970
We've used this approach with iOS connecting with Rails apps and haven't had any issues. In your api controllers, just have a before filter that finds your user based on your token, and returns a 401 if it's not valid.
Then, your mobile device knows if it receives a 401, then show the login screen to get a new/valid token. Put that in a connection factory and you'll be good to go.
You can also add it to the header if you want to keep the URLs clean, but I've had no problems with the URL param approach.
95
see this: http://code.google.com/apis/accounts/docs/MobileApps.html
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
