Love this series. I've implemented this devise/warden strategy in my own project. One correction: Because the `before_action` in the ApiController is changed from `:authenticate_token!` to `:authenticate_user!`, the `skip_before_action` in the AuthenticationController must also change to `authenticate_user!`, otherwise devise will reply with "You must sign in or sign up before continuing."
Keep the great material coming, Chris.
One more thought: As you pointed out, many websites will want to accept both JWT requests and non-JWT requests via the same API. By adding `skip_before_action :verify_authenticity_token` without disabling non-JWT requests, don't we open a hole to CSRF attack from non-JWT requests?
Here's a possible solution; would love to have your thoughts.
In the API controller:
skip_before_action :verify_authenticity_token, if: :json_web_token_present?
In the User model:
class User < ActiveRecord::Base
In the strategy:
user = User.find(payload["sub"])
user.has_json_web_token = true
I'm struggling to figure out where to put
sign_in(user, store: false) to prevent the rails server from setting the cookies. It says to put it where we "log in the user" but to my understanding, that was handled by the
Could someone please provide a little more direction on how to prevent that cookie from being set?
On a similar note, is there a way to not make it update the
Thanks for the quick response! That's what I thought initally as well, but I'm getting an undefined method error for
sign_in. I tried including the
Devise::Controllers::SignInOut module, which is where this method is held, but then I get a warden error.