Devise + Ember-Simple-Auth broken Sign in system

[Deovandski]

Noticed on Checkpoint 8 committed on 3/30/16. Devise sign in always responds with the same user upon signin even if there are other credentials...

Root cause unknown. Ideas to investigate:

• Cookie based CSRFprotection somehow interfering with Devise? Pull a Experimental v0.5 commit and thoroughly test to see if the nonimplementation of CSRF allows it to work.
• Devise dropped support for token on 3.x... Further check how this will be dealt with or if the recent up in version was the reason behind the failure.
• Devise not handling Destroy session properly? If so, drop the use of custom session? Guarantees that it will not be as finicky?

[Deovandski]

Close, but no cigar this time. The proper user is being logged in if the parameters matches, but if the params don't, then the previous logged in user is being returned (due to the cookie session not being fully destroyed)... Getting closer I guess.

[Deovandski]

Everything is working now except when it comes to dealing with invalid authenticity token issue when following this exact flow:

1. On a new page (or after a page reload), user signs in.
2. User signs out
3. User sign in again
4. User signs out

The fourth step causes the server to respond with 422 due to Invalid authenticity token. However, if you reload the page, the user will be able to sign out.

• Currently thinking that Devise updated the token on step 3, and it is either not replying it back with it or Ember-cli-auth is out of the loop when it comes to the csrf session token.

Perhaps removing Devise new csrf token would help, but this will allow session fixation attacks.

[Deovandski]

Problem closed. CSRF authenticity token is skipped fro destroying session without removing devise token change upon login