Use Warden without session system #37

wants to merge 1 commit into


None yet
6 participants

I use warden as authentication system in an API only providing authentication via HTTP_BASIC_AUTH, This patch stops warden from trowing exceptions if there is no session object around.


josevalim commented Dec 6, 2011

Hrm, Warden has an option called :store => false that you can pass when setting the user and so on. Maybe you should be using it instead?


hassox commented Dec 7, 2011

@timlawrenz did you have a look at :store => false? does this suit your needs?

Hi, thanks for the replies. I use devise with warden and I have a hard time figuring out where to set the :store option. Could you give me a hint?


josevalim commented Dec 7, 2011

So this is a feature Devise should be providing. :) Please open up an issue there there?

If you need this feature asap and cannot wait on Devise release, you can do in your initializer:

Devise::Strategies::DatabaseAuthenticatable.class_eval do
  def store?; false; end

@josevalim josevalim closed this May 8, 2012


emilsoman commented May 17, 2013

Facing the same problem. I'm using rails-api + devise . After reading through lib/warden/proxy.rb , it looks like setting store: false will not solve the problem. It's true that set_user obeys the :store option to decide whether to use session or not. But the authenticate method first tries to fetch the user from the session regardless of what store? method of the strategy returns.

Just to make sure, I tried @josevalim 's workaround. Didn't work for me. It works fine with the code in the pull request.

My API don't use session (env['rack.session'] is nil).
But in method "_perform_authentication" it looks for an existing user in the session.
Option ":store => false" is ignored.
So we get error:

NoMethodError: undefined method `[]' for nil:NilClass
warden-1.2.1/lib/warden/session_serializer.rb:31:in `fetch'
warden-1.2.1/lib/warden/proxy.rb:212:in `user'
warden-1.2.1/lib/warden/proxy.rb:318:in `_perform_authentication'
warden-1.2.1/lib/warden/proxy.rb:127:in `authenticate!'



josevalim commented May 23, 2013

Yes, this makes sense. However, I think that we should return if there is no session only on fetch. If you want to store something in the session, we shouldn't silently fail, a explicit store: false must be given. That said, can someone send a pull request to warden with tests? <3


emilsoman commented Jul 11, 2013

Not too familiar with warden code, but I'll give this a try


emilsoman commented Jul 11, 2013

PR #75 solves the issue @galetahub mentioned . Still warden doesn't work without session, see Issue #78 . I'm looking into this now.

josevalim added a commit that referenced this pull request Jul 11, 2013

Merge pull request #79 from emilsoman/nil-session-logout
Do not throw exception on logout if session is nil. Fixes #78 , #37

emilsoman commented Jul 12, 2013

@josevalim , since master has been patched with fixes for using warden without session, can you release the gem so devise could use these changes right away ? A lot of people are looking at rails + rails-api for building API's without session, especially after the JS frameworks boom.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment