Add secure OAuth2-based mobile authentication

- Replace API keys with OAuth2 tokens for mobile apps - Add device tracking and management for mobile sessions - Implement 30-day token expiration with refresh tokens - Add MFA/2FA support for mobile login - Create dedicated auth endpoints (signup/login/refresh) - Skip CSRF protection for API endpoints - Return plaintext tokens (not hashed) in responses - Track devices with unique IDs and metadata - Enable seamless native mobile experience without OAuth redirects This provides enterprise-grade security for the iOS/Android apps while maintaining a completely native authentication flow. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-07-24 07:39:39 +02:00 · 2025-06-18 08:20:22 -05:00 · 2025-06-18 08:20:22 -05:00 · 9336719242
commit 9336719242
parent cba0bdf0e2
15 changed files with 761 additions and 6 deletions
--- a/app/controllers/api/v1/base_controller.rb
+++ b/app/controllers/api/v1/base_controller.rb
@ -6,6 +6,9 @@ class Api::V1::BaseController < ApplicationController
  # Skip regular session-based authentication for API
  skip_authentication

+  # Skip CSRF protection for API endpoints
+  skip_before_action :verify_authenticity_token
+
  # Skip onboarding requirements for API endpoints
  skip_before_action :require_onboarding_and_upgrade