mikker / passwordless

🗝 Authentication for your Rails app without the icky-ness of passwords
MIT License
1.28k stars 89 forks source link

Save session.id in cookie instead of user.id to allow expiration #44

Closed mikker closed 5 years ago

mikker commented 5 years ago

When we authenticate_by_cookie we find the user by the saved user_id in the cookies. This means we don't actually know when their session expires.

Instead we'll save the session.id and look up the user from that. That way we'll know if the session has expired too. We might even want to check for this on every sign-in-required request?

mikker commented 5 years ago

This is breaking because it means signing out everyone after upgrading.

Perhaps there's an easy enough upgrade path of _fall back to looking up session with something like fallback_session = user.find(cookies[:user_id])&.sessions.valid.first_

mikker commented 5 years ago

Consider that possibly breaking change then 😄

mikker commented 5 years ago

Closed by #53