current_user nil after authentication

[Amystherdam]

Expected behavior

That the current_user is filled with the logged in user

Actual behavior

When the user logs in and the request is going through one of Devise's default controllers, the current_user is populated, but when the user is already logged in, the current_user is lost and becomes null

Even in application_controller current_user is already null

Settings made

config/initializers/devise_jwt.rb

# https://github.com/waiting-for-dev/devise-jwt/pull/23
# https://github.com/plataformatec/devise/issues/4584

module Devise
  module JWT
    module WardenStrategy
      def authenticate!
        super
        env["devise.skip_trackable".freeze] = true if valid?
      end
    end
  end
end

Warden::JWTAuth::Strategy.prepend Devise::JWT::WardenStrategy

config/initializers/devise.rb

  config.jwt do |jwt|
    jwt.secret = "testtesttesttest"
    jwt.request_formats = { user: [:json] }
    jwt.expiration_time = 30.minutes.to_i
    jwt.dispatch_requests = [
      ['POST', %r{^/users/sign_in.json$}]
    ]
    jwt.revocation_requests = [
      ['DELETE', %r{^/users/sign_out.json$}]
    ]
  end

app/models/user.rb

class User < ApplicationRecord
  include Devise::JWT::RevocationStrategies::JTIMatcher

  devise :database_authenticatable, :registerable, :validatable,
         :jwt_authenticatable, jwt_revocation_strategy: self
end

JTI Migration

class AddJtiToUsers < ActiveRecord::Migration[7.0]
  def change
    add_column :users, :jti, :string, null: false
    add_index :users, :jti, unique: true
  end
end

Debugging information

Provide following information. Please, format pasted output as code. Feel free to remove the secret key value.

• Version of devise-jwt in use: 0.10.0
• Version of rails in use: 7.0.4
• Version of warden-jwt_auth in use: 0.7.0
• Output of Devise::JWT.config

  #<Dry::Configurable::Config values={
  :secret=>"lkjahdfklajshdfkasjldhfklasdhjf",
  :request_formats=>{:user=>[nil, :json]},
  :expiration_time=>1800,
  :dispatch_requests=>[["POST", /^\/users\/sign_in.json$/],["POST", /^\/users\/sign_in$/],["POST", /^\/users\/sign_in.json$/],["POST", /^\/users$/], ["POST", /^\/users.json$/]],
  :revocation_requests=>[["DELETE", /^\/users\/sign_out.json$/],["GET", /^\/users\/sign_out$/],["GET", /^\/users\/sign_out.json$/]],
  :decoding_secret=>"lkjahdfklajshdfkasjldhfklasdhjf",
  :algorithm=>"HS256",
  :aud_header=>"JWT_AUD"
  }>

• Output of Warden::JWTAuth.config

  #<Dry::Configurable::Config values={
  :secret=>"lkjahdfklajshdfkasjldhfklasdhjf",
  :expiration_time=>1800,
  :dispatch_requests=>[["POST", /^\/users\/sign_in.json$/],["POST", /^\/users\/sign_in$/],["POST", /^\/users\/sign_in.json$/],["POST", /^\/users$/],["POST", /^\/users.json$/]],
  :revocation_requests=>[["DELETE", /^\/users\/sign_out.json$/],["GET", /^\/users\/sign_out$/],["GET", /^\/users\/sign_out.json$/]],
  :aud_header=>"JWT_AUD",
  :mappings=>{:user=>User(id: integer, email: string, encrypted_password: string, reset_password_token: string, reset_password_sent_at: datetime, remember_created_at: datetime, created_at: datetime, updated_at: datetime, jti: string, name: string, social_id_number: string, phone: string)},
  :revocation_strategies=>{:user=>User(id: integer, email: string, encrypted_password: string, reset_password_token: string, reset_password_sent_at: datetime, remember_created_at: datetime, created_at: datetime, updated_at: datetime, jti: string, name: string, social_id_number: string, phone: string)},
  :algorithm=>"HS256",
  :decoding_secret=>"lkjahdfklajshdfkasjldhfklasdhjf"
  }>

• Output of Devise.mappings

  {:user=>
  #<Devise::Mapping:0x0000000109dfe648
  @class_name="User",
  @controllers={:sessions=>"devise/sessions", :registrations=>"devise/registrations"},
  @failure_app=Devise::FailureApp,
  @format=nil,
  @klass=#<Devise::Getter:0x0000000109dfe080 @name="User">,
  @modules=[:database_authenticatable, :registerable, :validatable, :jwt_authenticatable],
  @path="users",
  @path_names={:registration=>"", :new=>"new", :edit=>"edit", :sign_in=>"sign_in", :sign_out=>"sign_out", :sign_up=>"sign_up", :cancel=>"cancel"},
  @path_prefix=nil,
  @router_name=nil,
  @routes=[:session, :registration],
  @scoped_path="users",
  @sign_out_via=:get,
  @singular=:user,
  @used_helpers=[:session, :registration],
  @used_routes=[:session, :registration]>}

  Observation

  I'm not using rack-cors, the app is a monolith

[Amystherdam]

Putting this in application_controller or graphql_controller if using graphql should work, assuming your GraphqlApiService file or whatever frontend file is sending the bearer token in the header of each request

  def current_user
    return unless request.headers['Authorization'].present?
    token = request.headers['Authorization'].split(" ").last
    warden.authenticate!(auth_token: token)
  end