How to Avoid Session storage caveat

[pribadi1st]

Hi, i want to ask how to avoid the session storage caveat, i'm building two different project and i use Rails purely for API only. (rails new new-project --api).

i tried following disable session storage caveat section but no result.

Expected behavior

i want my postman to return an 401 error when there is no authorization header

Actual behavior

I use postman to test /current_user without Authorization header, the result is 'success'

[waiting-for-dev]

Hey! If you're using --api flag, then your session is disabled, so you're not affected by the caveat.

If the token is not present, the JWT strategy will be skipped from the warden cascade. See https://github.com/waiting-for-dev/warden-jwt_auth/blob/09c78d747cab802180e4d93a14cc33cf313e27d0/lib/warden/jwt_auth/strategy.rb#L11 and also https://github.com/wardencommunity/warden/wiki/Strategies for details on how Warden works.

[pribadi1st]

hi, I'm sorry if I ask too much, I'm still new to rails. so based on my understanding, if I want to check if the header has authorization or not, do I have to fiddle with the warden's strategies?

[waiting-for-dev]

Hey @pribadi1st, no worries for the asking.

Why do you need to directly check whether the header is present? This should be done transparently by devise-jwt as part of its strategy for warden.

[pribadi1st]

oh yes, it was part of my mistake, i will close this issue. thank you for the reply