# This snippet shows how TokenAuthenticatable works in Devise today.
# In case you want to maintain backwards compatibility, you can ditch
# devise's token mechanism in favor of this hand-rolled one. If not,
# it is recommended to migrate to the mechanism defined in the following
# snippet (2_safe_token_authenticatable.rb).
# In both snippets, we are assuming the User is the Devise model.
class User < ActiveRecord::Base
# You likely have this before callback set up for the token.
self.authentication_token = generate_authentication_token
token = Devise.friendly_token
break token unless User.where(authentication_token: token).first
# With a token setup, all you need to do is override
# your application controller to also consider token
class ApplicationController < ActionController::Base
# This is our new function that comes before Devise's one
# This is Devise's authentication
# For this example, we are simply using token authentication
# via parameters. However, anyone could use Rails's token
# authentication features to get the token from a header.
user_token = params[:user_token].presence
user = user_token && User.find_by_authentication_token(user_token.to_s)
# Notice we are passing store false, so the user is not
# actually stored in the session and a token is needed
# for every request. If you want the token to work as a
# sign in token, you can simply remove store: false.
sign_in user, store: false