Do Not Load Resource for AccessToken Auth

thombruce / credible-ruby-archived

JWT and API Token Authentication for Rails apps

MIT License

0 stars 0 forks source link

Do Not Load Resource for AccessToken Auth #32

Closed thombruce closed 4 years ago

thombruce commented 4 years ago

See: https://github.com/thombruce/helvellyn/issues/79

Basically, this part should not exist on access token auth (currently called 'jwt'):

session = ::Session.find(token[0]['data']['session_id'])
success!(session)

Instead, an ephemeral session should be initialised with Session.new that has, at least, the User from the accessToken as an attribute - providing current_session and current_user to the controller and view contexts.

thombruce commented 4 years ago

Replace with:

user = ::User.find(token[0]['data']['user_id'])
session = ::Session.new(user: user)
success!(session)

This will only fail if the user cannot be found.