Devise: uninitialized constant Devise::Models::TokenAuthenticatable

TokenAuthenticatable has been removed from Devise so if you are using it in your application, you'll need to remove it or patch in a custom implementation. If it works locally it likely means an old gem is being loaded - make sure your gems do not include an old version of devise and that your Gemfile is specifying the version you want to e using.

All the examples in the readme for doing token authentication refer to using TokenAuthenticatable, e.g., this gist. How do we do token authentication without TokenAuthenticatable?

@moneypenny I think you wanted to say in wiki not in readme. The wiki is maintained by the community. So if there aren't any up to date instructions, we recommend you to explore the solution yourself and hopefully contribute your findings back!

Correct! I meant this wiki page.

@moneypenny The wiki page mentions it was removed and contains a link to a gist that can be used as starting point!

@josevalim it was @moneypenny who updated it just now :)

Oops, awesome! THanks @moneypenny !

Thanks @DBNess for the reference!

I think token-auth is a helpful feature for mobile device login(QRcode together), and i can't understand why to remove the feature, for safety reason?

Yes. See the plataformatec blog post for more info.

Is it possible to fix the old TokenAuthenticatable strategy?

I used https://gist.github.com/josevalim/fb706b1e933ef01e4fb6 as a starting point to create my own Warden authentication strategy and the necessary Devise model. It was relatively easy and that got me wondering:

As far as I understand, the key to prevent a timing attack is to use a constant time comparison for the token. In order to do so one must not use the token to perform a database lookup, but find some other means to retrieve a user candidate.

If that is correct, couldn't TokenAuthenticatable be modified to incorporate a second parameter to perform the user lookup? Or is there other code in Devise which runtime (implictly) depends on the token param?

@daniel-rikowski that is just one of the possible solutions. Besides requiring the e-mail. You could for example split the token in two, one which is looked up against the database and the other which you do secure compare against. I think when discussing the issue we had two more other options although I can't recall them exactly.

Not only that, if you consider some people regard that timing attacks are not feasible, we have too many options for solving the same issue, so rolling your own is certainly easier (and easily implementable too).

@daniel-rikowski Here's a pretty nice writeup. It may help http://www.soryy.com/ruby/api/rails/authentication/2014/03/16/apis-with-devise.html

^ that link didn't work for me, but was able to find it here: http://www.soryy.com/blog/2014/apis-with-devise/