devise-token-auth
  • Installation
  • Configuration
    • Initializer Settings
    • OmniAuth
    • Email Authentication
    • Customizing Devise Verbiage
    • Cross Origin Requests (CORS)
  • Usage
    • Mounting Routes
    • Controller Integration
    • Model Integration
    • Using Multiple User Classes
    • Excluding Modules
    • Custom Controller/Email Overrides
    • Reset password flow
    • Testing
  • FAQ
  • Conceptual Diagrams
    • Token Management
    • Batch Requests
  • Security
Powered by GitBook
On this page
  1. Configuration

Cross Origin Requests (CORS)

PreviousCustomizing Devise VerbiageNextUsage

Last updated 6 years ago

If your API and client live on different domains, you will need to configure your Rails API to allow . The gem can be used to accomplish this.

The following dangerous example will allow cross domain requests from any domain. Make sure to whitelist only the needed domains.

Example rack-cors configuration:

# gemfile
gem 'rack-cors', :require => 'rack/cors'

# config/application.rb
module YourApp
  class Application < Rails::Application
    config.middleware.use Rack::Cors do
      allow do
        origins '*'
        resource '*',
          headers: :any,
          expose: ['access-token', 'expiry', 'token-type', 'uid', 'client'],
          methods: [:get, :post, :options, :delete, :put]
      end
    end
  end
end

Make extra sure that the Access-Control-Expose-Headers includes access-token, expiry, token-type, uid, and client (as is set in the example above by the:expose param). If your client experiences erroneous 401 responses, this is likely the cause.

CORS may not be possible with older browsers (IE8, IE9). I usually set up a proxy for those browsers. See the or the for more information.

cross origin requests
rack-cors
ng-token-auth readme
jToker readme