401 unauthorized errors for Session#destroy action about simple_token_authentication HOT 10 CLOSED

Hi @shedd

About the question on SO that you referred to:

I had no SO account and I'm not authorized by SO to comment just after registering, but I wonder: isn't ukson forgetting to provide the user_email param? Token authentication can't be performed with the only auth_token. (In fact, the point of the José Valim's gist is to explain how to perform that e-mail cross-checking when implementing token authentication.)

You setup is more complex, and I'll take a closer look at it as soon as I can. If you can, try speaking with ukson!

from simple_token_authentication.

@gonzalo-bulnes nice spot! Yep, I think you're right about the SO question. I replied giving your tip: http://stackoverflow.com/questions/24092791/ruby-on-rails-curl-delete-token-authentication/24394116#24394116

Let me know if you have any thoughts on what my issue is. I am passing the email and the token and it works everywhere else, just not Session#destroy

Thanks in advance!

from simple_token_authentication.

Hey @gonzalo-bulnes - any thoughts on why this isn't working? Thanks so much!

from simple_token_authentication.

Hi @shedd, I'm sorry I haven't correctly looked at your issue. I'll make my best to do it tomorrow morning. Thanks for your patience!

from simple_token_authentication.

@gonzalo-bulnes sorry to pull this back up again, but we're still having issues with this. Just wondering if you have any ideas?

from simple_token_authentication.

Sorry @shedd, I kind of forgot your issue : /

One question: why do you add the authenticate_entity_from_token! filter? Simple Token Authentication adds authenticate_user_from_token (no bang ! because the fallback is disabled) in you case.

See https://github.com/gonzalo-bulnes/simple_token_authentication/blob/v1.6.0/lib/simple_token_authentication/token_authentication_handler.rb#L118-L125

from simple_token_authentication.

The namespace could have introduced unexpected behaviour, but since you mention that token authentication is behaving well otherwise, I guess the devise_for path: users option handles it properly.

from simple_token_authentication.

@gonzalo-bulnes hey, thanks for the response!

It looks like I had made some changes since when I originally posted this in June.

My API controller now only has:

  acts_as_token_authentication_handler_for User, fallback_to_devise: false
  before_action :authenticate_user!
  skip_filter :authenticate_user!, only: [:connection_test]

And I'm doing this filtering in the Sessions controller:

  prepend_before_filter :require_no_authentication, only: [:create]
  skip_filter :authenticate_entity_from_token!, only: [:create]
  skip_filter :authenticate_user!, only: [:create]
  before_action :ensure_params_exist
  skip_before_action :verify_authenticity_token

I've updated the sample code above.

So I think the confusion about the authenticate_entity_from_token! call should be resolved.

Still getting 401s from my tests, though.

And yes, the namespacing seems to be working fine.

from simple_token_authentication.

Ok, I figured out what I was missing.

The sample code that I based this login/logout controller on had this class definition:

class Api::V1::SessionsController < Devise::RegistrationsController

When I was going through this again, I thought that seemed a bit off - using the Registrations controller for login and logout? Amazingly, this actually worked, though - for login anyway.

Looking at the Devise code, I decided to try this:

class Api::V1::SessionsController < Devise::SessionsController

As long as I did a skip_filter :verify_signed_out_user, only: [:destroy] this kind of worked. It no longer threw a 401 error.

But there was still no current_user in the scope of the destroy method.

Then it struck me - it should be class Api::V1::SessionsController < Api::V1::ApiController - inherit from the API controller, where the acts_as_token_authentication_handler_for is setup. No wonder it wasn't authenticated.

Changing that fixed the problem.

Now I have:

class Api::V1::SessionsController < Api::V1::ApiController
  skip_filter :authenticate_entity_from_token!, only: [:create]
  skip_filter :authenticate_user!, only: [:create]
  skip_before_action :verify_authenticity_token

  def create
    # remove the build_resource call here from my earlier example
    ...
  end

  def destroy
    sign_out(current_user)
    head :no_content
  end
end

Sorry, this was my mistake. Thanks for the help!

from simple_token_authentication.

Nice, I'm glad the discussion gave you an occasion to take a different look at the code. Thanks for the details about your setup too! I'm planning to document some interesting use cases, and your experience is very helpful.

Regards!

from simple_token_authentication.