Subscribe to GoRails to get access to this episode and all other pro episodes, and new awesome content every month.
Unlimited access. Cancel anytime.
Add a Warden strategy to Devise to support JWT authentication with your Rails app
You can login the user with warden and not set cookies by adding
store: false to what we used in the episode to login the user:
sign_in(user, store: false)
Love this series. I've implemented this devise/warden strategy in my own project. One correction: Because the `before_action` in the ApiController is changed from `:authenticate_token!` to `:authenticate_user!`, the `skip_before_action` in the AuthenticationController must also change to `authenticate_user!`, otherwise devise will reply with "You must sign in or sign up before continuing."
Keep the great material coming, Chris.
One more thought: As you pointed out, many websites will want to accept both JWT requests and non-JWT requests via the same API. By adding `skip_before_action :verify_authenticity_token` without disabling non-JWT requests, don't we open a hole to CSRF attack from non-JWT requests?
Here's a possible solution; would love to have your thoughts.
In the API controller:
skip_before_action :verify_authenticity_token, if: :json_web_token_present?
In the User model:
class User < ActiveRecord::Base
In the strategy:
user = User.find(payload["sub"])
user.has_json_web_token = true
Yeah that's correct, if you're doing both you'll want to make sure any forms submitted verify authenticity token and the JWT token is the only one that should skip that. 👍