// the find
gonzalo-bulnes/simple_token_authentication
Simple (and safe*) token authentication for Rails apps or API with Devise.
A Rails gem that bolts static token authentication onto Devise, originally extracted from a José Valim gist. You add acts_as_token_authenticatable to your model, acts_as_token_authentication_handler_for to your controller, and you can authenticate via query params or request headers. Aimed at Rails API backends that already run Devise and want a quick way to issue long-lived tokens.
The constant-time token comparison (via Devise's secure_compare) is done correctly — no timing attacks. Supports both ActiveRecord and Mongoid out of the box. The fallback: :none option is important and well-documented for API controllers that disable CSRF. Appraisal gemfiles cover Rails 4 through 8, so version compatibility is actually tested rather than assumed.
Long-lived static tokens stored in plaintext in the database — if your users table leaks, every token is immediately usable with no expiry. No built-in refresh or rotation; the after_successful_token_authentication hook is the escape hatch but it's DIY. The README badge says 'Last independent audit: never' in red — that's honest but also a real concern for anything touching auth. No support for token scopes or per-token permissions, so every token is all-or-nothing access.