sorcery icon indicating copy to clipboard operation
sorcery copied to clipboard

Published 20 hours ago verified publisher icon Sorcery

remember_me module raises 'undefined method' error if no SSL.

Open kevin-smartpatients opened this issue 3 years ago • 3 comments

Configuration

  • Sorcery Version: 0.16.0
  • Ruby Version: ruby-2.6.6
  • Framework: Rails 6.0.3.5
  • Platform: MacOS

Expected Behavior

I just turned enabled remember_me. I don't expect it to work on localhost without SSL but it shouldn't blow up.

Actual Behavior

With the remember_me module enabled, if you check to see if the user is logged_in?, this code in the remember_me module raises an error undefined method 'signed' for nil:NilClass because signed cookies are not available unless you are using SSL.

# remember_me.rb
def login_from_cookie
  user = cookies.signed[:remember_me_token] &&  … if defined? cookies
  (…)
end

Steps to Reproduce

# sorcery.rb
Rails.application.config.sorcery.submodules = [:reset_password, :session_timeout, :remember_me]

# my code in a controller action
  def show
    puts 'hello' if logged_in?
  end

This workaround fixes it for me:

# application_controller.rb
  def login_from_cookie
    super if request.ssl?
  end

It's an easy fix and I can submit a PR with a test if it's useful. The check for cookies needs to check whether cookies is nil.

# remember_me.rb line 62
user = cookies.signed[:remember_me_token] (…) if defined?(cookies) && cookies

kevin-smartpatients avatar Mar 09 '21 12:03 kevin-smartpatients

@kevin-smartpatients Looks like a simple enough fix! Opening a PR would be appreciated. :smiley:

joshbuker avatar Mar 09 '21 17:03 joshbuker

Presumably this is only an issue when testing locally, as you should always be using HTTPS in production. Still worth looking into and address though.

joshbuker avatar Jun 05 '21 00:06 joshbuker

Yes. Only in development. I had forgotten about this. Sorry. I'll try to tackle it this week.

On Sat, Jun 5, 2021 at 1:30 AM Josh Buker @.***> wrote:

Presumably this is only an issue when testing locally, as you should always be using HTTPS in production. Still worth looking into and address though.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Sorcery/sorcery/issues/273#issuecomment-855154213, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIVA32TIYZKEYD4IL3KKTALTRFVZ5ANCNFSM4Y3QWSRA .

kevin-smartpatients avatar Jun 05 '21 11:06 kevin-smartpatients