Devise as authentication solution for rails API

application_controller.rb

# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  acts_as_token_authentication_handler_for User, fallback_to_devise: false
  respond_to :json
  protect_from_forgery with: :null_session
end

auth_helpers.rb

# spec/support/auth_helpers.rb
module AuthHelpers
  def auth_token_to_headers(user)
    request.headers['X-User-Email'] = "#{user.email}"
    request.headers['X-User-Token'] = "#{user.authentication_token}"
  end

  def clear_auth_token
    request.headers['X-User-Email'] = nil
    request.headers['X-User-Token'] = nil
  end
end

confirmations_controller.rb

# app/controllers/v1/custom_devise/confirmations_controller.rb
module V1
  module CustomDevise
    class ConfirmationsController < Devise::ConfirmationsController
      respond_to :json

      # GET /resource/confirmation?confirmation_token=abcdef
      def show
        self.resource = User.confirm_by_token(params[:confirmation_token])

        yield resource if block_given?

        if resource.errors.empty?
          render file: 'v1/custom_devise/sessions/create', locals: { current_user: resource}
        else
          render file: "#{Rails.root}/public/422.json", status: :unprocessable_entity, locals: { errors: resource.errors.full_messages }
        end
      end

    end
  end
end

development.rb

# config/environment/development.rb
config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }

devise.rb

config.mailer_sender = '...'
config.skip_session_storage = [:http_auth, :token_auth]

# if :confirmable
config.allow_unconfirmed_access_for = 2.days

Gemfile

gem 'devise', '3.2.4'
gem 'simple_token_authentication', '1.5.0'

generators.sh

rails generate devise:install
rails generate devise User

migration.rb

class DeviseCreateUsers < ActiveRecord::Migration
  def change
    create_table(:users) do |t|
      ## Database authenticatable
      t.string :email, null: false
      t.string :encrypted_password

      t.string :first_name, null: false
      t.string :last_name, null: false

      t.string :uuid
      t.string :authentication_token

      ## Recoverable
      t.string :reset_password_token
      t.datetime :reset_password_sent_at

      ## Trackable
      t.integer :sign_in_count, default: 0, null: false
      t.datetime :current_sign_in_at
      t.datetime :last_sign_in_at
      t.string :current_sign_in_ip
      t.string :last_sign_in_ip

      ## Confirmable
      t.string :confirmation_token
      t.datetime :confirmed_at
      t.datetime :confirmation_sent_at
      t.string :unconfirmed_email # Only if using reconfirmable

      t.timestamps
    end

    add_index :users, :email, unique: true
    add_index :users, :reset_password_token, unique: true
    add_index :users, :authentication_token, unique: true
    add_index :users, :confirmation_token,   unique: true
  end
end

registrations_controller.rb

# app/controllers/v1/custom_devise/registrations_controller.rb
module V1
  module CustomDevise
    class RegistrationsController < Devise::RegistrationsController

    respond_to :json

      acts_as_token_authentication_handler_for User
      
      skip_before_filter :authenticate_entity_from_token!, only: [:create]
      skip_before_filter :authenticate_entity!, only: [:create]

      skip_before_filter :authenticate_scope!
      append_before_filter :authenticate_scope!, only: [:destroy]


      # POST /users
      def create
        build_resource(param_keys_to_snake_case(sign_up_params))

        if resource.save
          sign_up(resource_name, resource)
          render file: 'v1/custom_devise/registrations/create', status: :created
        else
          clean_up_passwords resource
          render file: "#{Rails.root}/public/422.json", status: :unprocessable_entity, locals: { errors: resource.errors.full_messages }
        end
      end


      # DELETE /users/UUID
      def destroy
        resource.deactivated_at = DateTime.now
        resource.save!
        Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
      end

      private

      def sign_up_params
        params.fetch(:user).permit([:password, :passwordConfirmation, :email, :firstName, :lastName])
      end

    end
  end
end

routes.rb

# config/routes.rb
Rails.application.routes.draw do

  scope module: :v1, constraints: ApiConstraints.new(version: 1, default: :true, domain: APPLICATION_DOMAIN), defaults: {format: 'json'} do
    devise_for :users, controllers: {
        registrations: 'v1/custom_devise/registrations',
        confirmations: 'v1/custom_devise/confirmations',
        sessions: 'v1/custom_devise/sessions'
    }
  end

end

secure_compare.rb

user = User.find_by_email(params[:user_email].presence)
 
if user && Devise.secure_compare(user.authentication_token, params[:user_token])
  sign_in user, store: false
end

sessions_controller.rb

# app/controllers/v1/custom_devise/sessions_controller.rb
module V1
  module CustomDevise
    class SessionsController < Devise::SessionsController
      respond_to :json

      acts_as_token_authentication_handler_for User, fallback_to_devise: false
      skip_before_filter :authenticate_entity_from_token!, only: [:create]
      skip_before_filter :authenticate_entity!, only: [:create]

      # POST /users/sign_in
      def create
        allow_params_authentication!
        self.resource = warden.authenticate!(auth_options)

        reset_token resource
        render file: 'v1/custom_devise/sessions/create'
      end


      # DELETE /users/sign_out
      def destroy
        warden.authenticate!
        reset_token current_user
      end

      private

      def sign_in_params
        params.fetch(:user).permit([:password, :email])
      end

      def reset_token(resource)
        resource.authentication_token = nil
        resource.save!
      end
    end
  end
end

token_generation.rb

def generate_authentication_token
  loop do
    token = Devise.friendly_token
    break token unless self.class.exists?(authentication_token: token)
  end
end

user.rb

# models/user.rb
class User < ActiveRecord::Base
  acts_as_token_authenticatable

  devise :database_authenticatable, :registerable, :recoverable, :trackable, :validatable, :confirmable

  validates :first_name, presence: true
  validates :last_name, presence: true

  # left up to Devise to validate
  # validates_presence_of :password_confirmation
  # validates_uniqueness_of :email, case_sensitive: true
end

Excellent explanation! Its so helpful to understand Devise

@aleksb86 I'm glad it could be of use to you even though it is quite aged by now. Here's an equally old blog post for which I created those gists:

http://perpetuum-mobile.net/tech/devise-as-authentication-solution-for-rails-api/

Hi @bosskovic, do you have a strategy for users to reset password using rails API? Thanks.