devise_token_auth
devise_token_auth copied to clipboard
lynndylanhurley
validate_token changes/encrypts cookie
Context
When we call the validate_token endpoint using Cookies, it overrides the cookie which contains important information like the access token, etc. I can't tell if it is either encrypting the token (when it was not encrypted upon signing up/logging in, or not.
I have created a minimum-replication Rails app, which can be found here. I have also showcased this issue in Postman, with example endpoints to run, as well as examples of what their responses are.
The main issue is when calling this endpoint with a cookie gained from signing or logging in, the cookie is then set to a new cookie, and encrypted/scrambled.
Template Information
- Version: which version of this gem (and ng-token-auth, jToker or Angular2-Token if applicable) are you using?
gem 'devise_token_auth', '>= 1.2.0', git: "https://github.com/lynndylanhurley/devise_token_auth"- this was needed to get it working with Rails 7
- Request and response headers: these can be found in the "Network" tab of your browser's web inspector.
I have examples saved on this public Postman workspace.
- Environmental Info: How is your application different from the reference implementation? This may include (but is not limited to) the following details:
I am using Cookies, so I have done the following. Secure will be set to true in a PROD environment, but it is needed as false in order to showcase this on Postman.
config.change_headers_on_each_request = true
config.token_cost = Rails.env.test? ? 4 : 10
config.cookie_enabled = true
config.cookie_name = "testing-dta"
config.cookie_attributes = {
http_only: true,
secure: false,
same_site: "None"
}
- Routes: are you using some crazy namespace, scope, or constraint?
N/A
- Gems: are you using MongoDB, Grape, RailsApi, ActiveAdmin, etc.?
Active Admin/Postgres
- Custom Overrides: what have you done in terms of custom controller overrides?
N/A
- Custom Frontend: are you using ng-token-auth, jToker, Angular2-Token, or something else?
I am using this in API only mode, to be used with a React SPA later on. However, this is a backend issue.
Hey @mdodell ! Check out this doc about SameSite=None. It looks like your current config will result in the cookie being blocked.
Hey @theblang - I tested this with a Heroku app as well, with the following config:
config.cookie_enabled = true
config.cookie_name = "testing-dta"
config.cookie_attributes = {
http_only: true,
secure: true,
same_site: "None"
}
You can test it locally for yourself here: https://github.com/mdodell/devise-token-auth.
Here is it running in Postman: https://www.postman.com/winter-star-976257/workspace/devise-token-auth-cookie-issue/overview.
I'll leave that Heroku app running for now so you can also play with it yourself.
As you can see, the response header for the validate-token route is as follows:
[{"key":"Set-Cookie","value":"testing-dta=myrAWLEsUDXd24MTWQpGe4OznN62sWsqiWu0cF9qcghaBPhxVVgC4Q4Luvrbg0TbE996lY6cxoSlkqm%2F5n6gprjqjekEAdl5a1wz%2FkjZyy1wFaNpjuVXErf1YICHa7d4Y%2BYZftdz2rHnoJEvMfeZZYbEjcAn%2BAYNa9MuCfUuYPiIipl%2B1If6c3YxHn9vUVFv0YLuaTob9m0PMb49diKY7saDS03IG2RT3VgelzYMKxEx7zIZB5yXbPsPuiWJP4EydpOnlP%2BFksgt4e36XmEAAwWkHg%3D%3D--OqIZoXHw3CkWjdEb--bUxopeO9VFnUF8Plu0S2Og%3D%3D; path=/; HttpOnly; SameSite=Lax"}]
SameSite is set to "Lax" and there is no Secure - even though they are configured in they are configured to be SameSite "None" and "Secure" as true in the config here.
TL;DR: The validate_token route is ignoring/not using the configuration for the cookies.