There's many ways you can do this. What I did to get Devise to return errors to my iphone app that I could interpret (e.g. 401) was create a custom failure app:
# config/initializers/devise.rb
config.warden do |manager|
manager.failure_app = CustomFailure
end
# config/initializers/custom_failure.rb
class CustomFailure < Devise::FailureApp
def respond
unless request.format.to_sym == :html
http_auth
else
super
end
end
end
Otherwise Devise just returns HTML with a redirect response code regardless of whether the login information was correct or incorrect.
Since my app required users to authenticate against my rails backend, I implemented a simple login system like this:
#app/controllers/pages_controller.rb
before_filter :authenticate_user!, :only => [:login]
ssl_required :login # you have to set up ssl and ssl_requirement
def login
@user = current_user
respond_to do |format|
format.html {render :text => "#{@user.id}"}
format.xml {render :text => "#{@user.id}" }
end
end
#config/routes.rb
match '/login', :to => 'pages#login'
Then in the iphone app you can validate by sending a GET request to /login like this (I use ASIHTTPRequest because it's awesome):
- (void) validate_login:(NSString*)name :(NSString*)pwd
{
NSURL *login_url = [NSURL URLWithString:@"https://mysite.com/login"];
ASIHTTPRequest *request = [ASIHTTPRequest requestWithURL:login_url];
[request setDelegate:self];
[request setUsername:name];
[request setPassword:pwd];
[request addRequestHeader:@"Accept" value:@"application/xml"];
[request startAsynchronous];
}
- (void)requestFinished:(ASIHTTPRequest *)request
{
if ([request responseStatusCode] != 200) {
[self requestFailed:request];
}
else {
// authentication successful, store credentials
NSUSerDefaults* defaults = [NSUserDefaults standardUserDefaults];
[defaults setValue:[request username] forKey:@"username"];
[defaults setValue:[request password] forKey:@"password"];
}
}
- (void)requestFailed:(ASIHTTPRequest *)request
{
NSLog(@"failed with error: %d %@", [request responseStatusCode], [error localizedDescription]);
// tell user incorrect username/password
}
Then whenever you need to post data to the app you can retrieve the username and password from user defaults and attach them to the request. If you need to be more secure, you can store them in the Keychain.
I'm sure there are better ways to do this, but hopefully this can get you thinking about API authentication strategies.