How to reverse look up a user from an access_token (Rails, Devise)

Question

My Rails app has log in / log out functions working and returning a valid access_token after logging in.

I'm using this gem

https://github.com/lynndylanhurley/devise_token_auth

But how do I use this access_token in subsequent requests? For example:

abc.com/action?access_token=123

I would imagine in my controller, and in the action method, I should be able to find the user from this access_token but I am not sure if it is possible using Devise.

If I also pass in the :client or :uid along with the :access_token, I can validate this token by doing:

user = User.find_by_uid uid
user.valid_token? access_token, client

Is it possible to look up a user by his/her access_token alone?

Thanks.

Answer 1

According to the Docs:

access-token This serves as the user's password for each request. A hashed version of this value is stored in the database for later comparison. This value should be changed on each request .

And it seems to be a tokenization using BCrypt and changes each time for security.

Further they do not allow you to lookup the user in the DB from the Token alone do to security vulnerabilities. You can choose to store the UID in a creative way or in the session for lookups and write a method in your application_controller.rb that then performs some logic on that data.

This is mentioned here:

uid A unique value that is used to identify the user. This is necessary because searching the DB for users by their access token will make the API susceptible to timing attacks .