search

heartcombo / devise

Flexible authentication solution for Rails with Warden.
http://blog.plataformatec.com.br/tag/devise/
MIT License
23.85k stars 5.53k forks source link

Session return_to path for scope is always nil after failure app response. #5295

Open phlegx opened 3 years ago

phlegx commented 3 years ago

Environment

Current behavior

I use custom failure app:

Devise.setup do |config|
  # ...
  config.warden do |manager|
    manager.failure_app = FailureApp
  end
end

And the failure app class:

class FailureApp < Devise::FailureApp
  def respond
    # This session key `session[:user_return_to]` is set.
    # but at the next request (successful login) it is not set anymore.
    # I have tested it with normal cookie_store and cache_store. Same problem with both.
  end
end

If I disable my failure app (devise config), the problem persists. So, it is not a problem of my failure app.

I use Rails as API only and I have set:

# in config/appliction.rb
config.middleware.use ActionDispatch::Cookies
config.session_store :cookie_store, key: "_my_session"
config.middleware.use ActionDispatch::Session::CacheStore, config.session_options

and

# in app/controllers/application_controller.rb
include ActionController::Cookies

I check the session id on every action and the id's are always the same.

Cookie store

The default Devise failure app don't set the cookie in the response.

Expected behavior

Session key session[:user_return_to] should remain set for the next request.

carlosantoniodasilva commented 3 years ago

The stored path is deleted after the sign in / redirect. Since there's no other intention of using that value (it's goal is to know if we should redirect back to the attempted path when not signed in), there's no real reason to keep it in the session.

https://github.com/heartcombo/devise/blob/45b831c4ea5a35914037bd27fe88b76d7b3683a4/lib/devise/controllers/store_location.rb#L11-L18

https://github.com/heartcombo/devise/blob/eed641d2bea11839ab13e943660da41cad14314d/lib/devise/controllers/helpers.rb#L215-L217

If you have some application need that requires to know that path, I'd recommend stashing it on a separate/different key on your application then.

Other than that, I don't see anything else that'd cause the session to be a problem there, even with API only... if the above doesn't apply to your case, can you please provide a sample app showing the problem?

phlegx commented 3 years ago

Hi @carlosantoniodasilva! Thx for your response.

Also if I set session[:my_custom_redirect_to] = '/en'. Before login action this session key is nil.

class SessionsController < Devise::SessionsController
  before_action :test

  def test
    p session[:my_custom_redirect_to]
  end

  # ...
end
carlosantoniodasilva commented 3 years ago

@phlegx and what happens if you remove Devise from the equation, just your Rails API app configured with the session stuff, can you still set session values and retrieve them, etc? Honestly there's nothing special that Devise would do with the session, it's up to the app to configure it, which makes me believe this may not be Devise specific.

If you're unable to reproduce without Devise, please provide a sample app showing the issue with it, and I can try to help investigate further.

jackwurth commented 1 year ago

I'd resolved this issue in my app by removing the following line from my application.rb I'd had it left over from previous API only work when I wanted to re-enable cookies.

config.middleware.use ActionDispatch::Session::CookieStore