5

I am attempting to set up a basic sessions-based authentication strategy in a Rails 5 API.

I think I'm mostly running into a configuration confusion, because a new session is generated on each request.

I've added the cookies and cookie store middleware back into the application

config/application.rb

  class Application < Rails::Application
        # Settings in config/environments/* take precedence over those specified here.
        # Application configuration should go into files in config/initializers
        # -- all .rb files in that directory are automatically loaded.

        # Only loads a smaller set of middleware suitable for API only apps.
        # Middleware like session, flash, cookies can be added back manually.
        # Skip views, helpers and assets when generating a new resource.
        config.middleware.use ActionDispatch::Cookies
        config.middleware.use ActionDispatch::Session::CookieStore

        config.api_only = false
      end

It seems like I have to set api_only to false or I get #<ActionDispatch::Request::Session:0x7fd40b2eec80 not yet loaded>

I added the session_store initializer and the cookie_serializer:

config/initializers/session_store.rb

Rails.application.config.session_store :cookie_store, key: '_tunr_sol_json_api_session'

config/initializers/cookie_serializer.rb

Rails.application.config.action_dispatch.cookies_serializer = :json

I'm not storing sessions in the database.

I have a sessions controller that sets a current_user_id key to the sessions object when the user is successfully authenticated.

app/controllers/sessions_controller.rb

class SessionsController < ApplicationController
  def create
    user = User.find_by(username: params[:user][:username])
    if user && user.authenticate(params[:user][:password])
      session[:current_user_id] = user.id
      render json: {status: 201, message: "session created", user: user}
    else
      render json: {status: 401, message: "unauthorized"}
    end
  end

  def destroy
    session[:current_user_id] = nil
    render json: {status: 204, message: "no content"}
  end
end

The behavior

The auth strategy I have set up with bcrypt and has_secure_password works. And in looking at the session in sessions#create it successfully sets the user id to the session.

sessions#create

But the session doesn't seem to persist or get stored in the browser. sessionStorage after login has a length of 0

When I log out and check the session, it creates a new session.

sessions#destroy

Question

Not sure what configuration I'm missing or have wrong to get this functionality set up with the api.

colintherobot
  • 157
  • 2
  • 11
  • You can try https://github.com/rjurado01/rails_jwt_auth – rjurado01 Feb 23 '17 at 19:56
  • Yeah, I ended up just pivoting to using a token technique, still interested in figuring out the configuration process for this though. – colintherobot Mar 27 '17 at 12:52
  • Were you able to solve this? – red-devil Sep 30 '17 at 10:05
  • @red-devil Naw, I never was. The whole process of adding stuff back in was ridiculous. Wasn't clear what dependencies were needed etc. Ended up just initializing a full rails app and adding the cors stuff in to be able to use it was an API. Not ideal but *shrug* – colintherobot Oct 03 '17 at 12:03
  • I was able to solve it. Had to solve series of error one by one, but could find the solution for each of them online. I will share it in sometime. B) – red-devil Oct 03 '17 at 12:45

1 Answers1

0

You also need to change your Application controller to:

class ApplicationController < ActionController::Base

Glen
  • 144
  • 1
  • 1
  • 7