2

I'm using Rails 7 API only and gem devise-jwt to authentication. Firstly, this is tutorial to setup: https://dakotaleemartinez.com/tutorials/devise-jwt-api-only-mode-for-authentication/

It has a trouble, when i call API register new account, it shows a error: Your application has sessions disabled. To write to the session you must first configure a session store

I try to fix this issue (Add session store configuration into the application config)

config.session_store :cookie_store, key: '_rails7_api_session'
config.middleware.use ActionDispatch::Cookies
config.middleware.use config.session_store, config.session_options

=> It worked, but i faced with the second trouble. I defined a "/me" route to get current user. In theory, I need to pass the Authorization parameter on the header to be able to get the current user data (I'm using Postman). But somehow (Probably because of session) I get the user data without the Authorization parameter on the header.

I want to fix this issue. Somebody can help me, please?

Dean
  • 415
  • 1
  • 5
  • 15

2 Answers2

0

In the related /me controller, have you put before_action :authenticate_user! in the controller?

new2cpp
  • 3,311
  • 5
  • 28
  • 39
0

It's been reported as a devise issue here and there, and haven't been fixed yet.

However there are posted ways you could try to resolve session store error.

First remove session store related configuration, since it's unnecessary for an API only APP.

Then try:

I found a way to centrally configure store: false, instead of overwriting each methods separately that might need it:

#config/initializers/devise.rb
Devise.setup do |config|
  # ... other config
  
  config.warden do |warden|
    warden.scope_defaults :user, store: false  # <---- This will use the config even if it's not passed to the method opts
    warden.scope_defaults :admin, store: false # <---- You need to configure it for each scope you need it for
    # you might also want to overwrite the FailureApp in this section
  end
end

# config/application.rb
module YourApp
  class Application < Rails::Application
    # ... other config
    
    config.session_store :disabled
  end
end

I understand that Devise relies heavily on warden etc which rely on sessions, or a fake version of it at least. Thus, we've circumvented this by creating this concern/module that we have included in the relevant Devise-related controllers in our app:

module RackSessionFixController
  extend ActiveSupport::Concern

  class FakeRackSession < Hash
    def enabled?
      false
    end
  end

  included do
    before_action :set_fake_rack_session_for_devise
    
    private

    def set_fake_rack_session_for_devise
      request.env['rack.session'] ||= FakeRackSession.new
    end
  end
end
eux
  • 3,072
  • 5
  • 14