Skip to content

API Mode Compatibility Guide

Colin Ross edited this page Nov 6, 2019 · 4 revisions

API Mode Compatibility Guide

This guide is meant to shine a bit of light onto deploying devise in Rails 'API-only' applications. Due to the nature of an api-only deployment, many of the features provided in a traditional (or full) Rail application are not available, such as forms and cookies. There is no 'views' for presenting forms, so knowledge of the request structure is required in the client. That said, if your client knows where to put the right parameters, you can continue to use devise as your authentication solution.

Assumptions

Rails 'API-only' applications are defined as applications specifically configured as such (created with rails new my-app --api-only for instance) and where Devise.parent_controller extends from ActionController::API (and not ActionController::Base).

Unless otherwise noted, all requests are expected to be JSON, eg.

  Content-Type: 'application/json'
  Accept: 'application/json'

Postman collection

I've created a postman collection for testing this (points to a local rails server). Run in Postman

Views

Actions that trigger html views will not render due to the lack of template processing and missing middleware.

Module Compatibility

Registerable: No known issues.

Confirmable: No known issues.

Lockable: Small Bug in email sending. That said, without the email the actual token is not published and so it is effectively broken.

Recoverable: No known issues.

Rememberable: Due to cookie usage, this module is unsupported.

Timeoutable: No known issues, although since it works 'against' rememberable, it is unnecessary if using http auth.

Trackable: No known issues.

Validatable: No known issues.

Authenticatable & Database Authenticatable: Issue in 'logout' action. No other issues. Http Auth is the only supported 'built-in' warden strategy

Omniauthable: Needs Investigation. Personally, I haven't had much need to use this in the past, so it might take a bit to setup a testing bench for it.

Issues

Will follow-up and make PRs to fix these as time permits.

user.lock_access! => locked email triggers template error in email (`unlock_url` helper missing)
session destroy (logout) => NoMethodError (undefined method `respond_to' for #<Devise::SessionsController:0x00007fdb3dbd1058>
--/devise/app/controllers/devise/sessions_controller.rb:78:in `respond_to_on_destroy'
Clone this wiki locally