search

jeremyevans / rodauth

Ruby's Most Advanced Authentication Framework
http://rodauth.jeremyevans.net
MIT License
1.69k stars 95 forks source link

Logout fails after enabling active_sessions #224

Closed dush closed 2 years ago

dush commented 2 years ago

After I've enabled active_sessions currently logged in users failed to logout with

TypeError: no implicit conversion of nil into String
  from rodauth (2.19.0) lib/rodauth/features/base.rb:649:in `digest'
  from rodauth (2.19.0) lib/rodauth/features/base.rb:649:in `compute_raw_hmac'
  from rodauth (2.19.0) lib/rodauth/features/base.rb:237:in `compute_hmac'
  from rodauth (2.19.0) lib/rodauth/features/active_sessions.rb:84:in `remove_current_session'
  from rodauth (2.19.0) lib/rodauth/features/active_sessions.rb:128:in `before_logout'
  from rodauth (2.19.0) lib/rodauth/features/logout.rb:25:in `block (4 levels) in <module:Rodauth>'

It seeems that for users logged in before enabling active_sessions session[session_id_session_key] is nil.

Note: I'm using JWT auth as it is API only Rails app.

jeremyevans commented 2 years ago

Thanks for the report. I agree that we should only attempt to delete if the session key is set. I'll make that change shortly.