1. Authentication in iOS
and Rails using Devise

2. What is Authentication?
Login using username / email + password from iOS
[optional] Account creation from iOS
Talks to the backend (Rails with Devise)
Should do validations, prevent dup accounts, etc.

3. Omfg there is no out-of-
the-box solution
Some googling suggests HTTP Basic Auth. DON’T DO
THIS!!
Use an authentication token solution

4. Authentication Token
iOS Rails
Send email and
password using
HTTPS
Respond with
auth token
Send auth token
for other
requests HTTP(s)

5. Why Auth Token?
Minimizes risk of password being compromised since
it’s never persisted on iOS
You can revoke the auth token at any time from your
backend

6. General Tips
Use SSL at a minimum for the initial authentication
part
Auth token in the query string http://yoursite/
private_cat_photos?auth_token=asdf
Or store in a HTTP cookie (optionally with the
“secure” flag set)

7. iOS Tips
Don’t store the password on the device!!
Store auth token (and email if you care) in
NSUserDefaults or use the iOS Keychain Services
AFNetworking is nice
wrapper on built-in technologies
Self signed certs are annoying, a few ways to handle
this, either use a compile flag, or you may need to
subclass AFHTTPClient

8. G*d*mit Devise doesn’t play
nice with APIs
If you try to use the devise built-in controllers, you’ll
notice it will try to HTTP redirect your API calls (WTF)
You’ll need to do some massaging…

9. Standard Devise
Massaging1/2
Migrations:
User model:

10. Standard Devise Massaging
2/2
devise.rb:
application.rb:
routes.rb:

11. Other Devise Massaging
On your controllers needing authentication:
Don’t do this!:

12. Non-Trivial Devise
Massaging
User registration is more annoying, you’ll probably
want to do a custom solution like copy and paste
Devise functionality as needed
SSL Pinning

13. Done