Skip to main content

JSON Web Tokens with Devise & Warden Discussion

General • Asked by Chris Oliver
Faff411a9ca427b444717ca9044a8e4f

Df7cbfdd2a92a7926af3bbb8648318aa

Love this series. I've implemented this devise/warden strategy in my own project. One correction: Because the `before_action` in the ApiController is changed from `:authenticate_token!` to `:authenticate_user!`, the `skip_before_action` in the AuthenticationController must also change to `authenticate_user!`, otherwise devise will reply with "You must sign in or sign up before continuing."

Keep the great material coming, Chris.


Df7cbfdd2a92a7926af3bbb8648318aa

One more thought: As you pointed out, many websites will want to accept both JWT requests and non-JWT requests via the same API. By adding `skip_before_action :verify_authenticity_token` without disabling non-JWT requests, don't we open a hole to CSRF attack from non-JWT requests?

Here's a possible solution; would love to have your thoughts.

In the API controller:

skip_before_action :verify_authenticity_token, if: :json_web_token_present?

def json_web_token_present?
current_user.has_json_web_token
end

In the User model:

class User < ActiveRecord::Base
attr_accessor :has_json_web_token
end

In the strategy:

def authenticate!
...
user = User.find(payload["sub"])
user.has_json_web_token = true
success! user
...
end

Ce795239ba5dd2384fc2f88ffaff5451

Yeah that's correct, if you're doing both you'll want to make sure any forms submitted verify authenticity token and the JWT token is the only one that should skip that. 👍


721a01bfc7dd2a5df547efb7dee37186

Just thought I'd share these two blog posts I found pretty useful when I looked for more detail on web tokens vs. cookies:

https://auth0.com/blog/angu...
https://auth0.com/blog/ten-...


C9bc7a9b231e0d3f6338f44712a30834

Hello,

You can create an episode with the same typology using a project of this type:

rails new weather --api

thank you

Regards


C9bc7a9b231e0d3f6338f44712a30834

Hello

I have a token problem if I use the 'jwt', '~> 2.0' gem of Invalid auth token when inserting a record.

Chris could you help me with this?

Thank you

Antonio.


Db05d7ab1c2addcd23f526774e8f6a1d

for authentication_controller, skip_before_action :authenticate_token! should be changed to skip_before_action :authenticate_user! because ApiController has changed.


21b406544674661ccf2a86d9efb9a45a
This is something small, but I wanted to just verify that i have the right idea.
Correct me if i am wrong, but since you added the "authenticate_user!" before action back to your ApiController, and since your AuthenticationController inherits from your ApiController, doesn't that mean that in order to use the AuthenticationController the user will already have to be logged in?
This is not the desired behavior, right?
Inside your AuthenticationController, I would imagine that you would either need to skip the "authenticate_user!"  before action OR change it so it inherits from ApplicationController and not ApiController, so no user authentication is required.
Or am i missing anything here?

10e7c0fec1dcb19b601d7d6b1933cead

I keep running into this error:

2.5.1 :004 > JsonWebToken.encode({sub: 1})
Traceback (most recent call last):
 2: from (irb):4
 1: from app/models/json_web_token.rb:4:in `encode'
TypeError (no implicit conversion of nil into String)

Any ideas on how I can debug this?


Ffc78f232ec502124ceb8b174510bff5

I'm struggling to figure out where to put sign_in(user, store: false) to prevent the rails server from setting the cookies. It says to put it where we "log in the user" but to my understanding, that was handled by the success! method.

Could someone please provide a little more direction on how to prevent that cookie from being set?

On a similar note, is there a way to not make it update the current_sign_in_at, last_sign_in_at and sign_in_count values?

Thanks! :)

Ce795239ba5dd2384fc2f88ffaff5451

If I remember right, you call sign_in instead of success!.

Ffc78f232ec502124ceb8b174510bff5

Thanks for the quick response! That's what I thought initally as well, but I'm getting an undefined method error for sign_in. I tried including the Devise::Controllers::SignInOut module, which is where this method is held, but then I get a warden error.


Login or Create An Account to join the conversation.

Subscribe to the newsletter

Join 18,000+ developers who get early access to new screencasts, articles, guides, updates, and more.

By clicking this button, you agree to the GoRails Terms of Service and Privacy Policy.

More of a social being? We're also on Twitter and YouTube.