Closed baptistejub closed 8 months ago
Thanks for the report. I believe this is a bug in rodauth-rails, I didn't test whether paths with extensions still work.
One solution would be for rodauth-rails to set the formats only before rendering inside Rodauth, because that's when they're needed. We shouldn't be modifying anything if Rails is the one serving requests.
Could you post your actual RodauthApp
, just so that I know what is getting called in the route
block other than r.rodauth
? I'm not sure in which scenario it makes sense to clear the session while serving a Rails route (as opposed to a Rodauth route).
OK, after re-reading the report, I understand now that you're using the http_basic_auth
feature, and probably calling rodauth.http_basic_auth
in the route
block. I'm working on a fix.
Thanks for the quick response. It's indeed when using http_basic_auth
.
Here a very simple RodauthApp to reproduce (if you still need it):
require 'sequel/core'
class RodauthApp < Rodauth::Rails::App
plugin :pass
configure do
enable :login, :logout, :session_expiration, :account_expiration, :bearer_auth, :http_basic_auth, :internal_request
db Sequel.connect(
"#{ActiveRecord::Base.connection_db_config.adapter}://",
extensions: :activerecord_connection
)
login_column :username
end
route do |r|
rodauth.require_http_basic_auth
end
end
and a controller
class TestsController < ApplicationController
def index
respond_to do |format|
format.json { render json: { message: 'json' } }
format.xml { render xml: '<test>xml</test>' }
format.any { render plain: 'plain' }
end
end
end
A some curl examples
# returns json
curl --location 'localhost:3000/tests.xml' --header 'Accept: */*' --header 'Authorization: Basic xxxxxx'
# returns xml
curl --location 'localhost:3000/tests.xml' --header 'Authorization: Basic xxxxxx'
I believe the issue should be addressed with the latest commit. Thanks to you already identifying the root cause, I could just focus on the fix 🙂
I plan to cut a new release as soon as a new Rodauth version is released, which should hopefully be any day now 🤞🏻
Thanks a lot! I can confirm it's working after testing with the main
branch 🎉
Hello,
We've recently moved our (basic) auth step from the rails controller into the rodauth middleware and we've noticed a change in the response content type.
When given a HTTP
Accept
header and a path extension (.xml, .json...), with rodauth rails authenticating in its middleware (with basic auth), we've noticed it is theAccept
header that is used to determine the response content type. Without auth or with auth in rails controller, it would use the extension in priority.For exemple, with
Accept: */*
andGET /my_data.xml
, the detected request format is*/*
so it returns the first format block of "respond_to" from the rails controller instead of XML (without rodauth auth, rails would return some XML as expected).After a little digging, we've found out that, during the auth process in rodauth rails middleware, the session is updated, thus calling the
clear_session
method which instantiates a rails controller instance that parses and sets the request formats from theAccept
header here https://github.com/janko/rodauth-rails/blob/main/lib/rodauth/rails/feature/render.rb#L51, because the path extension is not yet extracted at this point (request.parameters[:format] is nil).We were expecting to have the same behaviour as vanilla rails (or auth in controller) when authenticating in the middleware.
What's do you think about this behaviour? Is there a misconfiguration on our side?
Right now we patched it by overriding the
_rails_controller_instance
method in our rodauth class (to use the method definition fromlib/rodauth/rails/feature/base.rb
).Some reproduction steps (base on the current test suite):