By quantising the time taken for failed lookups we can mitigate timing based attacks. This allows a regular DB or cache lookup on the token to be used without revealing information about how good the candidate match is and thus thwarts timing attacks.
def authenticate_user_from_token!
auth_token = params[Devise.token_authentication_key]
if auth_token
t = Time.now
if (user = User.where(authentication_token: auth_token).first)
sign_in user, store: false
else