simple_token_authentication icon indicating copy to clipboard operation
simple_token_authentication copied to clipboard

Published 20 hours ago verified publisher icon gonzalo-bulnes

How do I stop the auth_token generation when a user is created ?

Open ratneshnavlakhe opened this issue 8 years ago • 5 comments

The auth_token gets created in the database when we try to create the user, how do we stop this to generate auth_token only at login POST call.

ratneshnavlakhe avatar Feb 15 '17 12:02 ratneshnavlakhe

Hello @ratneshnavlakhe,

A before_save hook is set as part of making a model token authenticatable (source - the ensure_authentication_token method is defined a few lines before). You can modify that to prevent the generation of a new authentication token when the record is created.

Let me know what you decided to do, it might be useful for someone else!

gonzalo-bulnes avatar Feb 16 '17 08:02 gonzalo-bulnes

@gonzalo-bulnes: This is definitely useful to us. As the authentication token is effectively a password that the customer likely doesn't know about (when they first sign up) it opens access to their information that they may not be considering protecting. I'd rather have as few paths of access to secured content a possible.

As a workaround for this I've changed my User model to skip that callback:

class User < ActiveRecord::Base
  acts_as_token_authenticatable
  devise :database_authenticatable, :recoverable, :rememberable, :registerable, :trackable
  skip_callback(:save, :before, :ensure_authentication_token)
...

@ratneshnavlakhe In addition to above, then you would need to call User#ensure_authentication_token from your controller.

jeremywadsack avatar May 05 '17 18:05 jeremywadsack

I think a short term solution would be to add to the docs skip_callback(:save, :before, :ensure_authentication_token) and a more permanent option would be to add a configuration option an register the callback if configured.

kluzny avatar Jun 02 '17 17:06 kluzny

I think we should also couple a public API for manually generating a token.

It appears that the current ensure_authentication_token only works if the token is nil, so you have to nil it, then save it ( or call ensure_authentication_token manually ). To just create a new one if it exists, we have to use the private api which is less desirable:

user.send(:generate_authentication_token, user.send(:token_generator) )

Both current methods require understanding how the methods work internally,

kluzny avatar Jun 02 '17 18:06 kluzny

Hi @ratneshnavlakhe,

I'm happy to consider a configuration option to register callbacks, what do you have in mind? (I'm currently catching up with a few open issues.) Regarding the update to the docs, no problem, just PR the change you'd like to see, the better the docs the happier all of us : )

On rotating authentication tokens, I've considered so far that a renew_authentication_token method was simple enough to write, not be added to the gem API. Your mileage may vary, but this is what I had in mind.

@jeremywadsack Thanks for jumping in to help! :smiley:

gonzalo-bulnes avatar Aug 06 '17 12:08 gonzalo-bulnes