devise-jwt icon indicating copy to clipboard operation
devise-jwt copied to clipboard

Published 20 hours ago verified publisher icon waiting-for-dev

Session Store Caveat Solution?

Open glundgrenm opened this issue 3 years ago • 3 comments

Hello, i am on Rails 6.1.4, ruby 2.7.4, devise 4.8.1, devise-jwt 0.9.0

Regarding the Session Store Caveat, the docs recommendations are not working at all. The only way i managed to disable the cookie being set with the user session (both on sign_in and sign_up) was:

  1. Adding protect_from_forgery with: :null_session to application_controller.rb
  2. Making sure that the sessions_controllers.rb and registrations_controllers.rb doesnt have this: skip_before_action :verify_authenticity_token (it actually only worked after i removed these)
  3. Removed/commented out all the skip_session_storage

Doing this it stopped sending the Set-Cookie on header only for the Devise API requests, but the ActiveAdmin and the rest of the API controllers sessions remained working.

Actually, i don't have a clue why it happened, any help clarifying?

glundgrenm avatar Jun 14 '22 17:06 glundgrenm

Not sure. However, if you don't need cookies you can disable session storage altogether.

waiting-for-dev avatar Jun 22 '22 05:06 waiting-for-dev

I'm experiencing the same issue.

Rails 6.1.6.1, ruby 2.7.5, devise 4.8.1, devise-jwt 0.9.0

democlitos avatar Sep 13 '22 14:09 democlitos

As I can't disable cookies entirely, for the sessions controller my solution was to disable session through warden store option:

# controllers/custom_sessions_controller.rb

def create
  self.resource = warden.authenticate!(auth_options.merge(store: !request.format.json?))
  # ...
end

And as for the create action (which is called when signing up), I had to override the sign_up method:

# controllers/custom_registrations_controller.rb
protected

def sign_up(resource_name, resource)
    # Do nothing. Originally, this methods calls for:
    #   sign_in(resource_name, resource)
end

But I'm not sure if this is the best aproach.

democlitos avatar Sep 13 '22 15:09 democlitos

To make this work gracefully, you need to overload sign_up to deal with user pushed to session on create as @democlitos mentioned and use store: false option

see https://github.com/waiting-for-dev/devise-jwt/issues/235#issuecomment-1365667870

Dujota avatar Dec 27 '22 07:12 Dujota

Closing it, as that's something already documented in the Readme. If you come up with a better solution, please, feel free to submit a PR updating the README. Thanks all for your collaboration 🙏

waiting-for-dev avatar Jan 22 '23 15:01 waiting-for-dev