nejdetkadir / devise-api

The devise-api gem is a convenient way to add authentication to your Ruby on Rails application using the devise gem. It provides support for access tokens and refresh tokens, which allow you to authenticate API requests and keep the user's session active for a longer period of time on the client side
MIT License
152 stars 22 forks source link

Fix Refresh token AbstractController::DoubleRenderError #29

Closed xkraty closed 10 months ago

xkraty commented 1 year ago

In app/controllers/api/devise/tokens_controller.rb#refresh was causing AbstractController::DoubleRenderError when access_token is revoked due to a missing return.

        if current_devise_api_refresh_token.revoked?
          error_response = Devise::Api::Responses::ErrorResponse.new(request, error: :revoked_token,
                                                                              resource_class: resource_class)

          return render json: error_response.body, status: error_response.status
        end

In spec/requests/token_spec.rb some refresh_token tests was passing access_token in headers

      before do
        post refresh_user_tokens_path, headers: authentication_headers_for(user, devise_api_token, :refresh_token), as: :json
      end
samuelboland commented 10 months ago

I was about to submit a PR to fix this same issue, but found this one already open. It'd be great if this could be merged.