Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sign out a user when using API #145

Closed
a14m opened this issue Jan 6, 2015 · 2 comments
Closed

sign out a user when using API #145

a14m opened this issue Jan 6, 2015 · 2 comments
Labels
invalid

Comments

@a14m
Copy link

a14m commented Jan 6, 2015

this is also reported on http://stackoverflow.com/questions/27804349/simple-token-authentication-signout-for-rails-json-api
here is my session controller

class SessionsController < Devise::SessionsController  
  respond_to :json
  skip_filter :verify_signed_out_user, only: :destroy

  def create
    self.resource = warden.authenticate!(scope: resource_name)
    render :create, status: :created
  end

  def destroy
    current_user.authentication_token = nil
    super
  end
end

the problem is if an invalid request it's still hit this and cause the user to log out although the request should not sign out the user

to be extra clear here are my specs

  describe 'DELETE sessions#destroy' do
    let(:user) { Fabricate(:confirmed_user) }
    describe 'with request headers' do
      context 'valid credentials' do
        it 'Returns 204' do
          delete '/users/sign_out', {}, {
            HTTP_CONTENT_TYPE: 'application/json',
            HTTP_ACCEPT: "application/vnd.app+json; version=1",
            "X-User-Email" => user.email,
            "X-User-Token" => user.authentication_token
          }

          user.reload
          expect(response.status).to eq 204
          expect(user.authentication_token).not_to eq @auth_token
          #^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this is ok cause it's the valid user
        end
      end

      context 'invalid credentials' do
        it 'Returns 204' do
          delete '/users/sign_out', {}, {
            HTTP_CONTENT_TYPE: 'application/json',
            HTTP_ACCEPT: "application/vnd.app+json; version=1",
            "X-User-Email" => user.email,
            "X-User-Token" => 'Invalid'
          }

          user.reload
          expect(response.status).to eq 204
          expect(user.authentication_token).to eq @auth_token
          #^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this is weird 
          # why did the user get new auth token when didn't sign out ????
        end
      end
    end
@gonzalo-bulnes
Copy link
Owner

Hi @artmees,

A few questions to precise the context:

  • does your SessionsController act as a token authentication handler?
  • if it does, is the optional fallback to Devise disabled?
  • is the authentication token configured to act as a sign_in_token?

Also, in the specs you wrote, how is defined @auth_token?

@a14m
Copy link
Author

a14m commented Jan 27, 2015

I cannot verify this or answer the questions cause in that project I'm now using JWT. and it's a messy git history to track this down, sorry 😞

@a14m a14m closed this as completed Jan 27, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@a14m @gonzalo-bulnes