Closed jklimke closed 6 years ago
Hi @jklimke ,
you are completely right in that the current workaround is quite weird and brittle, but I haven't come with anything better to try to mitigate the effect of https://github.com/hassox/warden/pull/118#issuecomment-354564922 at least until a solution is in place from warden end.
Would it be possible for you to add tetx/javascript
HTTP_ACCEPT
header in your AJAX requests?
hi @waiting-for-dev
for internal use this might be possible, but it is some kind of problem to have all users of a (semi) public api to do that. At least it might make sense to add json (mime type "application/vnd.api+json") to the list of allowed accepted media types ?
I have removed completely the interception of requests checking the Accept
header, and instead I have chosen to make the caveat explicit to the user. You are right about it was weird and also very brittle.
It is released in warden-jwt_auth 0.3.5
and devise-jwt 0.5.5
.
Thanks a lot. I guess this is a good way to deal with it.
Marc Busqué notifications@github.com schrieb am Di., 30. Jan. 2018, 14:26:
I have removed completely the interception of requests checking the Accept header, and instead I have chosen to make the caveat explicit to the user https://github.com/waiting-for-dev/devise-jwt#session-storage-caveat. You are right about it was weird and also very brittle.
It is released in warden-jwt_auth 0.3.5 and devise-jwt 0.5.5.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/waiting-for-dev/warden-jwt_auth/issues/13#issuecomment-361592544, or mute the thread https://github.com/notifications/unsubscribe-auth/ABGNCa7VT70iWsSsi1gFDzKtWgt1iR8Uks5tPxiFgaJpZM4Rs4gd .
i just upraded to v0.3.4 and noticed that i am logged by warden-jwt-auth out of my application once i vist a page that is using a json ajax request.
We are using devise for a normal user authentication and provide several apis in the application (e.g., fetch json diagram data, csv data, json api, action cable).
The automatic logout causes the user to be logged out of their normal (non JWT-based) session when a request is made that does not have text/html or text/javascript as HTTP_ACCEPT header (see env_helper.rb).
line 46 of hooks.rb
Since we are using the same model / scope to authenticate users via normal devise and jwt (user model) the jwt_scope evaluates to true and the helper method recognizes the ajax json request as an API request. The HTTP_ACCEPT for the request ist set to "/".
Is there anything wrong with out setup? It seems to me a little weird to recognize api requests using fixed accepted header values.