Allow API responses in PasswordExpiredController

[Slike9]

For API sometimes it's desirable to receive 2XX responses instead of
3XX. The same technique is used in devise gem.

More about the problem addressed: #111 (comment)

[coveralls]

Pull Request Test Coverage Report for Build 726

• 33 of 33 (100.0%) changed or added relevant lines in 2 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.2%) to 96.047%

---

Totals
Change from base Build 723:	0.2%
Covered Lines:	1239
Relevant Lines:	1290

---

💛 - Coveralls

[olbrich]

@Slike9 Thanks for your contribution, please add a link to the relevant part of the devise codebase, add some tests, and add some comments describing why this is useful. We also need to consider how this might break code that depends on the existing behavior.

[Slike9]

@olbrich Could you please consider my answer?

please add a link to the relevant part of the devise codebase

Similar code respond_with({}, location: ...) is used in several places in devise codebase:

• https://github.com/plataformatec/devise/blob/master/app/controllers/devise/confirmations_controller.rb#L15
• https://github.com/plataformatec/devise/blob/master/app/controllers/devise/passwords_controller.rb#L19
• https://github.com/plataformatec/devise/blob/master/app/controllers/devise/unlocks_controller.rb#L17

add some comments describing why this is useful

Method respond_with from responders gem is applied to be able to respond to different requested formats (html, json, etc.).
For formats associated with browsing, like :html, :iphone, etc, the fix won't change the behavior, the action will respond with a redirect as before.
The behavior will change for formats associated with APIs, such as :xml and :json, the action will respond with 204 No Content instead of redirect.

The problem we are facing is the following. In our SPA-like application, we access the controller's actions via AJAX, requesting json format. To update password, the client side requests PUT /users/password_expired.json via AJAX. The browser gets 302 Location: / and follows the redirect to / using PUT method (it preserves the verb) and gets 404. In the client side nothing happens, as it doesn't see 302 response, just 404. More about this problem:

• https://stackoverflow.com/questions/228225/prevent-redirection-of-xmlhttprequest
• Need some advice about handling 302 redirects from Ajax axios/axios#932 (comment)

So, we need API friendly responses to AJAX requests, not 302.

add some tests

Do we need to test behavior of respond_with of responders gem? The behavior for html format is already tested, isn't it enough?

[dillonwelch]

What was this gem added for? This is an outdated method of testing and generally meant to support legacy apps, not for new code.

[olbrich]

We have some tests that need to run against controllers in Rails 4.2. This lets them work against rails 5+ as well.

[billgloff]

Would love to see this get merged. Let me know if you need any help.

[billgloff]

In lib/devise-security/controllers/helpers.rb there are two checks (handle_password_change & handle_paranoid_verification) for checking if the format is html, can we remove that and handle both cases (html and json) and just return the proper error message if its json format so the frontend can handle it properly?

[olbrich]

@billgloff can you elaborate a bit on how you would like the helpers to respond? Some failing tests would be extremely helpful. As an alternative, you could open a separate ticket / PR for your modifications and then I'll go ahead and merge this branch.

[dillonwelch]

@olbrich how do you feel about merging this and then we can handle the request in a separate PR as desired?