Devise Sessionable extends the Simple Token Authentication gem into a Session object to allow for easier and more secure token authentication.


Add this line to your application's Gemfile:

gem 'devise_sessionable'

And then execute:

$ bundle

Or install it yourself as:

$ gem install devise_sessionable

Getting Started

First things first, run the installer:

rails generate devise_sessionable:install

This will generate a migration for the session object.

NOTE: This gem is setup to work with UUIDs as default. If you are NOT using uuids you will need to update the migration to reflect this correctly.

Then simply run:

rails db:migrate

Adding Session Authentication on a Model

simply add acts_as_sessionable to the devise enabled model that you wish to be session authable.

class User < ApplicationRecord

  # Include default devise modules. Others available are:
  # :confirmable, :lockable, :timeoutable and :omniauthable
  devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable

Enabling Session Authentication in the Controller

Once you have a model with session authentication enabled on a model, you can start using it in your controller with just a few simple steps.

First, you need to put your controllers behind a layer of token authentication:

module Api
  module V1
    class ApiController < ApplicationController
      acts_as_token_authentication_handler_for DeviseSessionable::Session,
                                               as: :session,
                                               fallback: :exception

Secondly, because we are using the Session to authenticate, but are actually authenticating a User, we need to define the current_authable scope in our ApiController


def current_authable

Finally, we need to setup our Simple Token Authentication to refer to the sessions id when authenticating

# config/initializers/simple_token_authentication.rb

SimpleTokenAuthentication.configure do |config|
  config.identifiers = { session: 'id' }

(This is something that we plan to integrate into the gem itself in a future release)

Using Sessions for Authentication

Now that we have everything in place, we can authenticate using our new session objects. How you want to handle the creation, deletion and expiration of sessions is up to you, all the gem cares about is that a valid session is passed through to authenticate.

Underneath the gem we are still using the Simple Token Authentication gem to handle authentication, the usage is essentially the same, and you can refer to their documentation here

Default Header Keys:

  'X-Session-Id' =>,
  'X-Session-Token' => session.authentication_token

These can be overidden in the SimpleTokenAuthentication initializer, using the same methods the base gem uses.


The gem is available as open source under the terms of the MIT License.