Authentication in iOS and Rails using Devise

What is Authentication?Login using username / email + password from iOS

[optional] Account creation from iOS

Talks to the backend (Rails with Devise)

Should do validations, prevent dup accounts, etc.

Omfg there is no out-of-the-box solution

Some googling suggests HTTP Basic Auth. DON’T DO THIS!!

Use an authentication token solution

Authentication Token

iOS Rails

Send email and password using

HTTPS

Respond with auth token

Send auth token for other

requests HTTP(s)

Why Auth Token?Minimizes risk of password being compromised since it’s never persisted on iOS

You can revoke the auth token at any time from your backend

General TipsUse SSL at a minimum for the initial authentication part

Auth token in the query string http://yoursite/private_cat_photos?auth_token=asdf

Or store in a HTTP cookie (optionally with the “secure” flag set)

iOS TipsDon’t store the password on the device!!

Store auth token (and email if you care) in NSUserDefaults or use the iOS Keychain Services

AFNetworking is nice wrapper on built-in technologiesSelf signed certs are annoying, a few ways to handle this, either use a compile flag, or you may need to subclass AFHTTPClient

G*d*mit Devise doesn’t play nice with APIs

If you try to use the devise built-in controllers, you’ll notice it will try to HTTP redirect your API calls (WTF)

You’ll need to do some massaging…

Standard Devise Massaging1/2

Migrations:

User model:

Standard Devise Massaging 2/2

devise.rb:

application.rb:

routes.rb:

Other Devise MassagingOn your controllers needing authentication:

Don’t do this!:

Non-Trivial Devise Massaging

User registration is more annoying, you’ll probably want to do a custom solution like copy and paste Devise functionality as needed

SSL Pinning

Done