Understanding how to authenticate users from Android to Rails app

Question

I have a rails application, and I authenticate users to the application using Devise.

The question is that I'm building an Android application and I want to understand how is the flow of authenticating users on the android "the easy way". I read about Basic and Digest Auth.

or the api I use Grape https://github.com/intridea/grape which has Basic and Digest middleware for authentication.

Am just wondering should I have store email/password of user on the android app?

and each request to the api should attach the email/password of the user?

Also, whats my benefits of the auth headers in the authenticated response?

Answer 1

I would highly recommend NOT storing the password anywhere, and storing the username is also most likely unnecessary. Instead, look into the token_authenticatable feature in Devise shown in this blog example. What I would recommend doing is when the Android app user enters his/her username & password combo, you call a custom token authentication sign_in controller with what the user entered and return the token to the app. Then you can store the token in your app without worrying that the username/password may be compromised.

This gives you the flexibility for how frequently you want to regenerate the token, or to invalidate a token arbitrarily.