A SimpleTokenAuthentication-compatible JSON version of Devise::SessionsController. (UPDATE: For a discussion about this gist and a better version of it, please see https://github.com/gonzalo-bulnes/simple_token_authentication/issues/48#issuecomment-42133939)

sessions_controller.rb

# app/controllers/sessions_controller.rb

class SessionsController < Devise::SessionsController

  # This controller provides a JSON version of the Devise::SessionsController and
  # is compatible with the use of SimpleTokenAuthentication.
  # See https://github.com/gonzalo-bulnes/simple_token_authentication/issues/27

  def create
    # Fetch params
    email = params[:session][:email] if params[:session]
    password = params[:session][:password] if params[:session]

    id = User.find_by(email: email).try(:id) if email.presence

    # Validations
    if request.format != :json
      render status: 406, json: { message: 'The request must be JSON.' }
      return
    end

    if email.nil? or password.nil?
      render status: 400, json: { message: 'The request MUST contain the user email and password.' }
      return
    end

    # Authentication
    user = User.find_by(email: email)

    if user
      if user.valid_password? password
        user.reset_authentication_token!
        # Note that the data which should be returned depends heavily of the API client needs.
        render status: 200, json: { email: user.email, authentication_token: user.authentication_token, id: id }
      else
        render status: 401, json: { message: 'Invalid email or password.' }
      end
    else
      render status: 401, json: { message: 'Invalid email or password.' }
    end
  end

  def destroy
    # Fetch params
    user = User.find_by(authentication_token: params[:user_token])

    if user.nil?
      render status: 404, json: { message: 'Invalid token.' }
    else
      user.authentication_token = nil
      user.save!
      render status: 204, json: nil
    end
  end
end

Hi again @gonzalo-bulnes.

After looking at this comment of yours a little more carefully, I think I got it. I now have basic custom SessionsController performing login (creation of auth_token) and logout (authenticating the user and destroying the auth_token in case authentatication was successful). Here is the new gist for it.

Would love to hear from you in regards to my previous questions anyway.

Regards!

Hi @dnlserrano, I believe you're right about both of your observations, this sessions controller needs a serious review.

I took a look to your gist; it looks better than mine. I'm aware of the Simple Token Authentication issue you opened (#48) about intenting to destroy the session with wrong credentials; once fixed, I think we could update your SessionsController and use it as a reference. Sadly I'm a bit short of time these days, but I'll be reading your updates.

Update: @dnlserrano shared his RegistrationsController and SessionsController in that gist (original comment).

Hi Gonzalo (@gonzalo-bulnes),

If we are doing all the ground work, there is nothing in Devise SessionController that is required, should this class still extend Devise SessionController.

@gonzalo-bulnes , btw thanks for SimpleToken

why is this code in the gist needed... can't you just check the current_user

PS I tried to check current user but it always return a user (whether i singed in with valid or invalid token) ?

I just write an article about how to add JSON API login based on Devise and simple token authentication. But I don't know how to test sign_out api with python code now. @gonzalo-bulnes