oath icon indicating copy to clipboard operation
oath copied to clipboard

Published 20 hours ago verified publisher icon halogenandtoast

sign_in test helper only persisting session for a single page view

Open sidraval opened this issue 6 years ago • 3 comments

@halogenandtoast 👋

Rails version: 5.2, started in API mode, then added sessions/cookies middleware back in when needed Oath version: 1.1.0

Issue

In a feature test, when I use the sign_in helper, I can visit a page that requires authorization. But if I click a link or submit a form that requires authorization, I get redirected back to my log in page.

I have an application here that reproduces the issue. I started this with rails new --api and added the same sessions/cookies middleware back, just like in my initial example.

There are two test cases: One that passes, showing that going through the form-based login flow works as expected, and one that fails, showing that something funky is going on with Oath's sign_in helper.

Reproduction repository

I have not tested what happens with a brand new Rails 5.2 app that's started in "regular" mode (e.g. without the --api flag).

Any help appreciated!

@sallyhall and I worked on the bug reproduction repository together, tagging her so she can follow progress

sidraval avatar May 07 '18 14:05 sidraval

Howdy @sidraval and @sallyhall thanks for opening this issue. I'm pretty sure this is isolated to using the --api flag as I have ran these tests on regular apps. I'd be happy to look into why this is happening and fix it.

halogenandtoast avatar May 08 '18 01:05 halogenandtoast

So a brief update. I have a good idea of what is happening.

The test helper sign_in just calls warden's test helper login_as which sets up warden to set the user on the next request. This seems to work just fine, as the initial next request works correctly, however in subsequent requests is does not. The main interface for this is the SessionSerializer from warden which should be setting a session variable, however the session store is not enabled for rails api which is how it would be normally persisted.

I believe this reflects the nature of API calls which would require authentication on each request, however I'm uncertain as to why this would then work when going through the form because I believe the session store middleware isn't activated (see https://github.com/rails-api/rails-api/blob/master/lib/rails-api/application.rb#L90) since api_only is set to true.

I'll keep investigating, but figured I'd provide an update.

halogenandtoast avatar May 09 '18 06:05 halogenandtoast

I see now that you've added back in the stuff I was referring to: https://github.com/sidraval/oath-bug-reproduction/blob/master/config/application.rb#L34

I'll have to see if there something different between hooking these up this way vs when using a non-api application.

halogenandtoast avatar May 09 '18 07:05 halogenandtoast