search

waiting-for-dev / devise-jwt

JWT token authentication with devise and rails
MIT License
1.26k stars 130 forks source link

Why doesn't devise-jwt authenticate the user when cookies are disabled? #229

Closed cassiompf closed 3 years ago

cassiompf commented 3 years ago

When I try to authenticate the user in my api, and use Bearer token in another controller that needs authentication, it always returns a message that I'm not authenticated: "No verification key available". I use the following code to create a user session:

class Api::V1::Users::SessionsController < Devise::SessionsController
  before_action :configure_sign_in_params, only: [:create]

  # POST /resource/sign_in
  def create
    response_handler(Users::SessionService.call(session_params: session_params))
  end

  def discord
    response_handler(Users::DiscordAuthService.call(discord_params: discord_params))
  end
  # DELETE /resource/sign_out
  # def destroy
  #   super
  # end

  protected

  # If you have extra params to permit, append them to the sanitizer.
  def configure_sign_in_params
    devise_parameter_sanitizer.permit(:sign_in, keys: %i[email password])
  end

  def response_handler(response)
    if response.success?
      sign_in response.result, store: false
      render_success(response.result)
    else
      render_unprocessable_entity(response.error)
    end
  end

  def session_params
    params.require(:user).permit(:email, :password)
  end

end

And on my route that needs authentication I use:

before_action :authenticate_user!, only: %i[create destroy]

My routes.rb file:

Rails.application.routes.draw do
  devise_for :users, path: 'api/v1/users', defaults: { format: :json }, controllers: {
    sessions: 'api/v1/users/sessions',
    registrations: 'api/v1/users/registrations',
  }

  namespace :api do
    namespace :v1 do

      devise_scope :user do
        post 'users/discord', to: 'users/sessions#discord'
      end
    end
  end
end

Print of response trying to access an authenticated route:

image

After leaving store: true the authentication token worked. Can anyone explain to me why this is? I thought it worked without the cookie.

I I'm using the latest Rails (6.1.4.1), Ruby (3.0.1) and gem devise-jwt (0.8.1) versions

cassiompf commented 3 years ago

I've already managed to resolve it. The problem with the jwt configuration. I was doing something like this:

config.jwt do |jwt|
    jwt.secret = Rails.application.credentials[:devise_jwt_secret_key]
end

where actually, it was supposed to be like this:

config.jwt do |jwt|
    jwt.secret = Rails.application.credentials[Rails.env.to_sym][:devise_jwt_secret_key]
end