search

waiting-for-dev / warden-jwt_auth

JWT token authentication with warden
MIT License
113 stars 56 forks source link

User logout on ajax request #13

Closed jklimke closed 6 years ago

jklimke commented 6 years ago

i just upraded to v0.3.4 and noticed that i am logged by warden-jwt-auth out of my application once i vist a page that is using a json ajax request.

We are using devise for a normal user authentication and provide several apis in the application (e.g., fetch json diagram data, csv data, json api, action cable).

The automatic logout causes the user to be logged out of their normal (non JWT-based) session when a request is made that does not have text/html or text/javascript as HTTP_ACCEPT header (see env_helper.rb).

line 46 of hooks.rb

return if !jwt_scope?(scope) || EnvHelper.no_api_request?(env)

Since we are using the same model / scope to authenticate users via normal devise and jwt (user model) the jwt_scope evaluates to true and the helper method recognizes the ajax json request as an API request. The HTTP_ACCEPT for the request ist set to "/".

Is there anything wrong with out setup? It seems to me a little weird to recognize api requests using fixed accepted header values.

waiting-for-dev commented 6 years ago

Hi @jklimke ,

you are completely right in that the current workaround is quite weird and brittle, but I haven't come with anything better to try to mitigate the effect of https://github.com/hassox/warden/pull/118#issuecomment-354564922 at least until a solution is in place from warden end.

Would it be possible for you to add tetx/javascript HTTP_ACCEPT header in your AJAX requests?

jklimke commented 6 years ago

hi @waiting-for-dev

for internal use this might be possible, but it is some kind of problem to have all users of a (semi) public api to do that. At least it might make sense to add json (mime type "application/vnd.api+json") to the list of allowed accepted media types ?

waiting-for-dev commented 6 years ago

I have removed completely the interception of requests checking the Accept header, and instead I have chosen to make the caveat explicit to the user. You are right about it was weird and also very brittle.

It is released in warden-jwt_auth 0.3.5 and devise-jwt 0.5.5.

jklimke commented 6 years ago

Thanks a lot. I guess this is a good way to deal with it.

Marc Busqué notifications@github.com schrieb am Di., 30. Jan. 2018, 14:26:

I have removed completely the interception of requests checking the Accept header, and instead I have chosen to make the caveat explicit to the user https://github.com/waiting-for-dev/devise-jwt#session-storage-caveat. You are right about it was weird and also very brittle.

It is released in warden-jwt_auth 0.3.5 and devise-jwt 0.5.5.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/waiting-for-dev/warden-jwt_auth/issues/13#issuecomment-361592544, or mute the thread https://github.com/notifications/unsubscribe-auth/ABGNCa7VT70iWsSsi1gFDzKtWgt1iR8Uks5tPxiFgaJpZM4Rs4gd .