-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Token Authenticatable writes to session #17
Comments
Can you PR with the skip_session_storage? Also does Devise have anything in super classes we can use so we don't have to put I would prefer if we use skip_session_storage instead of just false... sometimes we will want to open a webview from a mobile app and then have the user go through a flow without having to send the auth token everytime. Unclear on second problem... can't you just use |
inheriting from Devise::Strategies::Authenticatable instead of Devise::Strategies::Base would include
authentication_type gets set one step down the stack of "authenticatable#valid?" stack so it looks like we could inherit from it and set :authentication_type in the TokenAuthenticatable#valid? method. Authenticatable is otherwise a bunch of private methods ( tokenAuthenticatable overwrites the public ones ) so it should be ok. |
What I do in API's is just nullify the session on every request (in my API base controller) like so: protect_from_forgery with: :null_session
before_action :nullify_session
# ...
def nullify_session
forgery_protection_strategy.new(self).handle_unverified_request
end That way you don't have to mess around with the session or devise |
@crododile lets inherit from that and just provide an |
The token authenticatable strategy writes auth stuff into the session, this is a problem because logging out by throwing away authentication token does not work if browser does not throw out session ( hybrid, sometimes iOS ).
Token Auth issue could be solved by adding a method
A separate issue is that we log in with Database Authenticatable and that strategy also writes to session, but we can't tell database authenticatable to not store by default b/c that strategy is used by web app
solved that by simply deleting the auth info from the session, but would be nice to have
The text was updated successfully, but these errors were encountered: