-
Notifications
You must be signed in to change notification settings - Fork 5.5k
API Mode Compatibility Guide
This guide is meant to shine a bit of light onto deploying devise in Rails 'API-only' applications. Due to the nature of an api-only deployment, many of the features provided in a traditional (or full) Rails application are not available, such as forms and cookies. There is no 'views' for presenting forms, so knowledge of the request structure is required in the client. That said, if your client knows where to put the right parameters, you can continue to use devise as your authentication solution.
Rails 'API-only' applications are defined as applications specifically configured as such (created with rails new my-app --api-only
for instance) and where Devise.parent_controller
extends from ActionController::API
(and not ActionController::Base
).
Unless otherwise noted, all requests are expected to be JSON, containing BOTH headers:
Content-Type: 'application/json'
Accept: 'application/json'
I've created a postman collection for testing this (points to a local rails server).
Actions that trigger html views will not render due to the lack of template processing and missing middleware.
Registerable: No known issues.
Confirmable: No known issues.
Lockable: Small Bug in email sending. That said, without the email the actual token is not published and so it is effectively broken.
Recoverable: No known issues.
Rememberable: Due to cookie usage, this module is unsupported.
Timeoutable: No known issues, although since it works 'against' rememberable, it is unnecessary if using http auth.
Trackable: No known issues.
Validatable: No known issues.
Authenticatable & Database Authenticatable: Issue in 'logout' action. No other issues. Http Auth is the only supported 'built-in' warden strategy
Omniauthable: Needs Investigation. Personally, I haven't had much need to use this in the past, so it might take a bit to setup a testing bench for it.
Will follow-up and make PRs to fix these as time permits.
user.lock_access! => locked email triggers template error in email (`unlock_url` helper missing)
session destroy (logout) => NoMethodError (undefined method `respond_to' for #<Devise::SessionsController:0x00007fdb3dbd1058>
--/devise/app/controllers/devise/sessions_controller.rb:78:in `respond_to_on_destroy'