/validate_token

[maxrosecollins]

How am I supposed to use this end point? it says 'Accepts uid and auth_token as params' and that these are in the db, I dont have a db field called auth_token, I have tokens?

[nicolas-besnard]

Loot at the source here. You just need to hit this route like all the other request : with the require header to authenticate your users.

[maxrosecollins]

Sorry, I dont understand. what is the require header?

[nicolas-besnard]

I invite you to read the doc.

[maxrosecollins]

I have read the doc lots of times. I just don't understand how to get this route working. I have the others working....

[maxrosecollins]

I have a tokens field in my db

{"734qclx7_WbDFJGSgKDceg":{"token":"$2a$10$UQX10Wv18OaUpapR5v3.KOO5.FicYOqBLbG6iLt1crcWjbWNJzPli","expiry":1424891653,"last_token":"$2a$10$vWd19f4BeVytO.eAoPyKB.AAAk1fbHGRxYaUR3mqAMAH3bd0b.ere","updated_at":"2015-02-11T19:14:13.397+00:00"},"MulyQKwcOrp2kQXekRxYxg":{"token":"$2a$10$K0e.a4Rq4soIdN7tPek7euX0cQTbZHzpzkQdF1M/M2e9eaZt4heZC","expiry":1424891915,"last_token":"$2a$10$4UwP94qkzg7IVVhS6ly8T.WIMrHW2cUFEIZUBtX.7Ne/SzEBxyuU2","updated_at":"2015-02-11T19:18:35.618+00:00"}}

am i supposed to send one of these to this endpoint?

[nicolas-besnard]

You call this route like all the other one : with the headers described on the doc (access-token, uid ...)

[maxrosecollins]

So you send the access-token you get in the headers back to this endpoint?

[nicolas-besnard]

try it

[lynndylanhurley]

Hi @maxrosecollins - I tried to explain the token handling aspect of this gem here. Please let me know if this explanation is unclear.

The values stored in the tokens field are encrypted hashes of the actual tokens. I'll copy my response from another issue regarding how the tokens are processed:

Tokens are effectively passwords. If an attacker has your access token, they can do anything with your account. For this reason, we store tokens using bcrypt. This is how passwords are normally hashed. Once the token is hashed using bcrypt, it cannot be recovered. So to check a token's validity, we perform the following actions:

• search the DB for a user by their uid
• if the user is found, hash the token from the request
• compare that hash with the hash that's stored in the DB
• if the hashes are equal, the token is valid.

Adding to that, the tokens are changed at the end of each request and sent back to the client using the header keys describe here (access-token, client, expiry, uid). The client stores these values for use with the next request.

[maxrosecollins]

I understand it a bit more now, thanks!

So when do i need to use the /validate_token end point?

Thanks again

[nicolas-besnard]

If you use ng-token-auth, you don't need to use this route. I think it's called "automatically".

If you don't use it, you should call this route when you need to know if the user's token is not expired :)

[maxrosecollins]

I'm using react not angular so I cant use that module.

[maxrosecollins]

@lynndylanhurley thinking of writing a react component anytime soon? ;)

[nicolas-besnard]

Can I have you opinion on ReactJS vs AngularJS ? I'm amaze by ReactNative :p

[maxrosecollins]

I like it, still getting to grips with it though.

I have tried both, and personally I like react more, I think there are fewer concepts to learn with react then with angular. I just feel I understand react more.

I think angular is good for building a simple example of something but when you want to scale big and write lots of custom directives it gets harder.

What do you think of them?

[nicolas-besnard]

I never use it. Yet. I learn AngularJS because it was a requirement for one of my client, and I still offer my service on AngularJS development.

But, after the Facebook conference on ReactNative, I'm really excited to work with it !

[maxrosecollins]

Yeah react native looks really good.

React seems to make more sense to me than angular. Just frustrating there isn't a ng-token-auth for react :(

[nicolas-besnard]

Well, you can create it if you want :D
On Thu 12 Feb 2015 at 12:08 Max Rose-Collins [email protected]
wrote:

Yeah react native looks really good.

React seems to make more sense to me than angular. Just frustrating there
isn't a ng-token-auth for react :(

—
Reply to this email directly or view it on GitHub
#148 (comment)
.

[maxrosecollins]

I suppose i'm going to have to try. Not sure i'm good enough though.

[nicolas-besnard]

Well, do it step by step. You can started with just the login and register functions and add the others features later

[maxrosecollins]

True, I do have login and register working at the moment! I'll give it a go.

[lynndylanhurley]

@lynndylanhurley thinking of writing a react component anytime soon? ;)

I have been thinking of writing a React component actually. I'd like to break out the logic from this module into a core package, and then create framework specific modules / components / plugins that wrap the core. No ETA on that tho.

[maxrosecollins]

Yeah that would be awesome!
I noticed this seemed to be quite oriented towards an Angular.js integration, but I guess it would be as it is built for your ng-token-auth module

[nicolas-besnard]

Can you show me how you do that in react ?
On Thu 12 Feb 2015 at 17:11 Max Rose-Collins [email protected]
wrote:

Closed #148
#148.

—
Reply to this email directly or view it on GitHub
#148 (comment)
.

[stratigos]

Id just like to call to attention that, based on the README, its not easy to answer @maxrosecollins question:

So when do i need to use the /validate_token end point?

I have some general assumptions about it, but Im trying to give an authoritative answer to a fellow developer who is using my API for a mobile app, and its very difficult to do by just reading the source code or the README document.

@nicolas-besnard answer was basically what I was assuming:

If you use ng-token-auth, you don't need to use this route. I think it's called "automatically".
If you don't use it, you should call this route when you need to know if the user's token is not expired :)

Ill interpret this as, you only need to use /validate_token if you really want to. It is up to the application maintainers to decide on a policy if this endpoint is necessary, and where. It is not, by default, required for any specific workflow.

I think a small note in the README about this endpoint and its implied uses, and any further information you have on it, would be very helpful to us adopters of devise_token_auth.

Thanks!

[npearson72]

I realize this is an old thread, but it is unfortunate there was not an action item that came from it. I spent more time than I care to admit thinking this is a feature similar to a refresh token, where in fact it's not.

If you already handle 401 from the server in your client app by routing users to the login and resetting their session, then there doesn't seem to be much point at all (at least IMHO) for this endpoint.

I greatly appreciate @stratigos summary.