-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does not account for devise-jwt's revocation strategy #5
Comments
Thanks for the feedback. It's been a while since I worked on this, and don't know from the top of my head how the revocation strategies work (or should work :)). It could be that it just unsets/removes the cookie, but does not run the revocation strategy. I'd have to dig a bit deeper to find out what happens exactly. I'll set up a test project and I'll see if I can find out what happens. Could take some time though, I'm a bit wrapped up in other things at the moment. |
@derekyau which revocation strategy are you normally using? The Allowlist, or the Denylist? |
@scarhand I'm using the Great work on this btw, I was shocked there wasn't a library for Rails that did httpOnly cookie based authentication, this was the perfect fit. |
…and before the rest of the middleware is called. Related to #5 Bump version to 0.5.0
I've made some changes that should add the header if the token should be revoked. It essentially does the same as your middleware work-around, but in the gem itself. Thanks for the hint :) I've built and pushed a new version. Could you let me know if this solves the issue, and removes the need for the additional middleware? |
@scarhand it works! Glad my middleware snippet helped :) Awesome, issue solved |
This gem works great! One thing that I noticed was that using standard
devise-jwt
and their revocation strategies, when I send a logout request (set viaconfig.jwt.revocation_requests
) it removes the token from the database based upon the strategy chosen.After I installed
devise-jwt-cookie
the logout call was made, but the revocation strategy did not run. I'm newer to this, but taking a brief look at the source code fordevise-jwt
it seems to expect there to be anHTTP_AUTHORIZATION
header such that the proper database entry can be revoked. As after you install this gem, we no longer send that header (and rather use cookies) it does not seem to know to revoke it.For the time being, a quick workaround seems to be to add some middleware that injects it back in. Something like:
This does work, but I'm wondering whether there's a better way? Or whether we should build this into the library itself?
Thanks !
The text was updated successfully, but these errors were encountered: