JSON Web Token with Devise

Question

I hope this does not count as an opinionated question. I just need to be pointed in the right direction.

I am modifying the Devise gem to work purely with JSON. I have had no problems with the registration, confirmation, re-confirmation, locking so far.

However, while working with the sign in, I dug deeper and understand that the default Devise sign in strategy uses Warden as it has to do with sessions and Rack authentication.

I understand JWT contains all the information in itself and does not need sessions.

So if I strip the default Devise strategy of everything and simply return a JWT on success and errors on error, would that be the right approach?

Am I missing something?

Answer 1

In order to use JWT with devise, I recommend to not monkey patch devise and instead use a tool others can audit and test.

For this reason, I developed devise-jwt. It does zero monkey patching and leverages warden, which is the authentication library below devise. You can also read more about it in this post I wrote: A Secure JWT Authentication Implementation for Rack and Rails

Hope it helps

Answer 2

You probably shouldn't be hacking your Devise gem source. I suggest to just use Devise Token Auth gem to handle tokens instead.

https://github.com/lynndylanhurley/devise_token_auth

It will generate and authenticate valid RFC 6750 Bearer Tokens.

According to their README.

• Seamless integration with both the the venerable ng-token-auth module for angular.js and the outstanding jToker plugin for jQuery.
• Oauth2 authentication using OmniAuth.
• Email authentication using Devise, including:
  • User registration
  • Password reset
  • Account updates
  • Account deletion
• Support for multiple user models.
• It is secure.

Answer 3

I wouldn't use devise_token_auth since it seems like too much hassle and ... you store tokens in db :/. Why would we want to do so if JWT is available.

I'd rather add a new strategy to Warden/Devise couple and let them work as they should.

Here's an example: https://medium.com/@goncalvesjoao/rails-devise-jwt-and-the-forgotten-warden-67cfcf8a0b73 . One thing to note: JWTWrapper doesn't really belong to app/helpers/ . You need to inject somewhere a call to JWTWrapper.encode({ user_id: current_user.id }) once your users successfully signs in with their email/password. Perhaps in the Devise SessionsController?

def create
  self.resource = warden.authenticate!(auth_options)
  sign_in(resource_name, resource)
  yield resource if block_given?
  render json: JWTWrapper.encode({user_id:current_user.id})
end

You might want to do this only for xhr or json (format) requests