-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sign_in IntegrationHelper produces errors when trying to load a session #4696
Comments
Hello @RocketPuppy, thanks for your report. Thank you! |
@RocketPuppy did you end up figuring out what this was? I backtracked through the code and realised that this is happening since
this actually doesn't happen in normal Rails mode... |
I did not. I hacked my way around it by writing a test helper that intercepts the rails API requests. |
@RocketPuppy I seem to have found the reason why this to be happening. Apparently, in rails-api mode, the Due to this, those middlewares are included after Warden::Manager which messes up something in request specs... Therefore, this solved it:
Hope it helps |
Yeah, warden needs to run after a session middleware in order to work - which I guess it doesn't make much sense in an API application since they usually don't keep a session. |
I recently chased my tail for a while trying to figure this out. I am using Devise with Rails in api mode. In my case, the API is powering a public single page app, so I'm using a standard session authentication instead of tokens. I wonder if the gem could somehow incorporate the fix above so that it works smoothly in API mode. Or if that's undesirable, how would you feel about a PR to mention this "gotcha" in the README? |
I'm not sure if Devise as an engine should assume an application's middleware chain structure in order to achieve this. Of course, we can know for how a stock Rails application looks like, but we can't know how other applications look like - i.e. they will have custom middlewares many times. |
That makes complete sense to me. Shall I open that PR?
…On Wed, Mar 13, 2019 at 6:18 AM Leonardo Tegon ***@***.***> wrote:
I'm not sure if Devise as an engine should assume an application's
middleware chain structure in order to achieve this. Of course, we can know
for how a stock Rails application looks like, but we can't know how other
applications look like - i.e. they will have custom middlewares many times.
About adding this in the README, I think it's great. I'm thinking in a new
section that includes instructions or limitations on API mode so that we
can later add other known ones. WDYT?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#4696 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABpei8yrdSYM5e9j1Rg2Uycgob0uixCAks5vWPqfgaJpZM4QVEMg>
.
|
Yeah, that would be great! Thanks! |
I found an entry in the Devise README which gave notice of exactly this error happening when the Warden middleware is initialized before the session middleware. The solution was to explicitly define the proper order in the test environment. See https://github.com/heartcombo/devise#testing and heartcombo/devise#4696.
Rails 5 API mode, devise cookie auth works just fine in the actual application, meaning all middleware and initializers are set up properly.
I have an ApiController that looks like this:
And all my controllers inherit from it. I have multiple user scopes. The integration test helpers are set up according to the documentation:
In a test:
In the response body I get this error message, implying things are failing even before they get to my controllers.
I did some inspection of some of that code and there are a few things that seemed out of place to me.
If I break here I see that
session_was
is set, and it is attempted tomerge!
into the newsession
. This is whereload!
is eventually called on the new session. As an experiment I tried forcingsession_was
tonil
. This caused the test to succeed! I imagine because it didn't try to merge in the old session, but was the old session even necessary?The newly created session in point 1 fails at
load!
because it doesn't have arack.session.options
header. I'm not sure why this is, but it is added in theOptions.set
line.If I remove the
sign_in
call in the test, I get to my controller code successfully.On the whole this feels like some sort of user error on my part, but I can't seem to figure out just what the problem might be.
The text was updated successfully, but these errors were encountered: