Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ember-simple-auth-devise invalidate() does nothing #201

Closed
givanse opened this issue Jun 20, 2014 · 19 comments

Comments

Projects
None yet
6 participants
@givanse
Copy link
Contributor

commented Jun 20, 2014

ember-simple-auth-devise invalidate() does nothing.

  /**
Does nothing

@method invalidate
@return {Ember.RSVP.Promise} A resolving promise
*/
  invalidate: function() {
    return Ember.RSVP.resolve();
  }

Ember never logs out, not even if a log out is done from the back end.

@givanse

This comment has been minimized.

Copy link
Contributor Author

commented Jun 21, 2014

I started to work on a PR.

@marcoow

This comment has been minimized.

Copy link
Member

commented Jun 21, 2014

I'm not sure whether that's actually a bug. The invalidate method of the authenticators is only a callback that the authenticator can use to perform additional cleanup tasks etc. When the method return a resolving promise then it doesn't intercept invalidation of the session and Ember.SimpleAuth standard session invalidation mechanism is performed which is simply deleting all session data in the browser which effectively logs the user out.

@marcoow marcoow added clarify and removed clarify labels Jun 21, 2014

@samselikoff

This comment has been minimized.

Copy link

commented Jun 21, 2014

@givanse if this helps, I ended up doing something like this:

Ember.SimpleAuth.Authenticators.Devise.reopen({
  invalidate: function() {
    var self = this;

    return Ember.$.ajax({
      url: '/users/sign_out',
      type: 'DELETE'
    }).then(function() {
      return self._super();
    });
  }
});
@marcoow

This comment has been minimized.

Copy link
Member

commented Jun 21, 2014

Isa DELETE request on /users/sign_out sth. that's standard devise? In that case it should maybe added to Ember.SimpleAuth. However, you need to be aware though that when the user only has one token on the server side you're destroying all other sessions that might be currently open as well, e.g. on mobile devices etc.

@marcoow

This comment has been minimized.

Copy link
Member

commented Jun 21, 2014

Just checked, the default Implementation of devise's log out action only destroys the server side session which has no effect when you're using token authentication. Unless you're implementing your own log out route on the server which sets a new token for the user there's no point in invoking the logout action on the server side.

@samselikoff

This comment has been minimized.

Copy link

commented Jun 21, 2014

So to clarify, the code I've posted would only destroy the session in the current browser, but not for other devices such a mobile?

@marcoow

This comment has been minimized.

Copy link
Member

commented Jun 21, 2014

No, the code destroys the Rails session which isn't send anyway. The token that Ember.SimpleAuth uses is still valid. That's what I said above: as Ember.SimpleAuth uses the token to identify the user, deleting that token on the client side is all that needs to be done to log the user out - no need for the authenticator to do anything else.

@samselikoff

This comment has been minimized.

Copy link

commented Jun 21, 2014

If I don't, I get strange behavior:

  • invalidateSession action destroys client-side token
  • page is reloaded to login route
  • user can simply click 'log in' button, and regardless of username & password system logs in the previously authenticated user
@marcoow

This comment has been minimized.

Copy link
Member

commented Jun 21, 2014

Can you make sure localStorage and Cookies are empty in the browser after the user logs out?

@marcoow

This comment has been minimized.

Copy link
Member

commented Jun 21, 2014

I think I know what the problem is. The Rails server also sends a session cookie when the user is logged in which is still present in the client after the user is logged out. When you're requesting DELETE /users/sign_out that server session is destroyed and the cookie is unset. However, instead of invoking that action the cleaner solution would be to disable server side sessions in the Rails app when the client authenticates via an authentication token. I'll create a follow up ticket.

@marcoow

This comment has been minimized.

Copy link
Member

commented Jun 21, 2014

follow up: #204

@marcoow marcoow closed this Jun 21, 2014

@givanse

This comment has been minimized.

Copy link
Contributor Author

commented Jun 22, 2014

@samselikoff Yes! That is what I was doing, send a DELETE to the backend.

In light of #204 and because I need to keep the session, I chose to disable sending session cookies for JSON requests.

At first I was getting these errors:

POST http://localhost:4200/users/sign_in 500 (Internal Server Error)

NoMethodError (undefined method options' for {}:Hash): rack (1.5.2) lib/rack/session/abstract/id.rb:329:incommit_session'

So, based on the Rack source code I made it work with:

app/controllers/application_controller.rb

before_filter :use_dummy_session
def use_dummy_session
  env["rack.session.id"] = 1000 # used to avoid generate_sid()                 
  env["rack.session.options"][:drop] = true
end

@givanse givanse referenced this issue Jul 2, 2014

Open

Registration #3

@givanse

This comment has been minimized.

Copy link
Contributor Author

commented Oct 13, 2014

This is not the right place for that question.

@kaungst

This comment has been minimized.

Copy link

commented Oct 13, 2014

my bad, deleted/moved to so

@7sedam7

This comment has been minimized.

Copy link

commented Feb 16, 2015

I have the following:

<a {{ action 'invalidateSession' }}>Logout</a>

and when I click on Logout i get:

Uncaught Error: Nothing handled the action 'invalidateSession'. If you did handle the action, this error can be caused by returning true from an action handler in a controller, causing the action to bubble.

@marcoow

This comment has been minimized.

Copy link
Member

commented Feb 16, 2015

@7sedam7: you're probably not mixing in the ApplicationRouteMixin in your application route.

@7sedam7

This comment has been minimized.

Copy link

commented Feb 16, 2015

Yeah thank you, that was the problem. I have just resolved it few minutes ago.

@benbabics

This comment has been minimized.

Copy link

commented Aug 4, 2016

I just wanted to pass on my findings using ember-simple-auth and the gem 'devise_token_auth'. I was required to send along the uid, client and access-token otherwise /users/sign_out would throw a 404. Hope this helps someone else. Thanks, @samselikoff for the example.

In app/authenticators/devise.js

export default DeviseAuthenticator.extend({
  ...
  invalidate: function(session) {
    return Ember.$.ajax({
      url:  '/users/sign_out',
      type: 'DELETE',
      beforeSend(request) {
        request.setRequestHeader( 'uid', session.uid );
        request.setRequestHeader( 'client', session.client );
        request.setRequestHeader( 'access-token', session.accessToken );
      }
    });
  },
  ...
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.