Subscribe to GoRails to get access to this episode and all other pro episodes, and new awesome content every month.
Unlimited access. Cancel anytime.
Add a Warden strategy to Devise to support JWT authentication with your Rails app
You can login the user with warden and not set cookies by adding
store: false to what we used in the episode to login the user:
sign_in(user, store: false)
Love this series. I've implemented this devise/warden strategy in my own project. One correction: Because the `before_action` in the ApiController is changed from `:authenticate_token!` to `:authenticate_user!`, the `skip_before_action` in the AuthenticationController must also change to `authenticate_user!`, otherwise devise will reply with "You must sign in or sign up before continuing."
Keep the great material coming, Chris.
One more thought: As you pointed out, many websites will want to accept both JWT requests and non-JWT requests via the same API. By adding `skip_before_action :verify_authenticity_token` without disabling non-JWT requests, don't we open a hole to CSRF attack from non-JWT requests?
Here's a possible solution; would love to have your thoughts.
In the API controller:
skip_before_action :verify_authenticity_token, if: :json_web_token_present?
In the User model:
class User < ActiveRecord::Base
In the strategy:
user = User.find(payload["sub"])
user.has_json_web_token = true