2

Context:

I'm using Devise for authentication. I am trying to test the behavior that a user has multiple windows open after they sign in, then they log out of one window but try to make a change on another that requires authentication. When they submit the form, it should not POST/ PUT/ DELETE whatever, and should instead redirect to the sign in page with a message that they need to be signed in. Per this other SO question I posted: Catch 401 error in Rails with Devise when user has multiple windows open, I've learned that Devise's helper method: before_action :authenticate_user! will handle that redirect on my behalf. Which is great!

So I have the following controllers: 

class StaticpagesController < ApplicationController
  prepend_before_action :authenticate_user!, only: [:dashboard]

  def dashboard
end

class PlansController < ApplicationController
  prepend_before_action :authenticate_user!

  def create
  def update
  def destroy
  ...
end

I can confirm using this in the console and local server that the authenticate_user! is in fact the first filter in both controllers

puts self._process_action_callbacks.select { |c| c.kind == :before }.map(&:filter)

Problem

The problem is that it appears to only be working in my StaticpagesController dashboard action. Now it might be just because in /dashboard the only test I can do is a page refresh, not take any actions (since all form actions go to PlansController), but here's the behavior now:

  • If I have two /dashboard pages open, sign out on one and refresh the other, then on the latter I get redirected to sign in page with a notice to sign in
  • If I have two /dashboard pages open, sign out on one, and attempt to submit a form on the other (dashboard is designed as a single page app, so the form is present on load), then rather than get redirected, I instead get a plain text error that I'm not logged in (and a 401 response)

Given this, I suspect that:

  • either authenticate_user! is not responsible for the redirect, and something else is (in which case tell me what!)
  • or the authenticate_user! is only working perfectly in one controller

Help please! I would like to ensure that the user is always redirected...

Now, by the way, I tried to fiddle with this myself, to catch the 401 and redirect, but got stuck (that was my original question linked above, and someone commented that I shouldn't have to do that because Devise does it for me... which is where I'm at now).

Community
  • 1
  • 1
james
  • 3,989
  • 8
  • 47
  • 102
  • Devise can handle multiple request formats (html, js, json). Devise will only do a redirect for html requests. Your SPA is probably sending a js or json request, for which devise will not redirect, but render the unauthenticated response – AbM Jul 16 '15 at 22:06
  • Hmm... interesting I didn't know that, but in this case, they're all HTML requests... – james Jul 16 '15 at 22:54
  • When you are signed in and submit the form from the dashboard, what is the response behaviour? Does it redirect? – AbM Jul 16 '15 at 23:12
  • Yes it does. All of the actions result in a redirect – james Jul 16 '15 at 23:54

0 Answers0