0

I am building an API-only app using Rails with Devise and Devise JWT for authentication. I have set the JWT revocation strategy to self and created controllers for Devise sessions and registrations. When I register a user, I am able to obtain an authorization token, but when I try to access other protected routes, I am not properly authenticated and can access the routes without a token. How can I ensure that authentication is properly enforced for all protected routes

class User < ActiveRecord::Base
  # Include default devise modules. Others available are:
  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
  include Devise::JWT::RevocationStrategies::JTIMatcher

  devise :database_authenticatable, :registerable, :validatable,
         :jwt_authenticatable, jwt_revocation_strategy: self

    VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i

    def jwt_payload
        super.merge('foo' => 'bar')
      end
    validates :email, presence: true,format: { with: VALID_EMAIL_REGEX }, uniqueness: { case_sensitive: false }
    validates :password, presence: true, length: {minimum: 10}

end

Registration Conroller

class Users::RegistrationsController < Devise::RegistrationsController

  respond_to :json
  private

  def respond_with(resource, _opts = {})

    if resource.persisted?
      render json: {
        status: {code: 200, message: 'Signed up sucessfully.'},
        data: UserSerializer.new(resource).serializable_hash[:data][:attributes]
      }
    else
      render json: {
        status: {message: "User couldn't be created successfully. #{resource.errors.full_messages.to_sentence}"}
      }, status: :unprocessable_entity
    end
  end
end

User controller

class UsersController < ApplicationController
  before_action :authenticate_user!
  skip_before_action :verify_authenticity_token, only: [:create]

   def show
     @user = User.find(params[:id])
     render :json => @user
   end

   def create
    @user = User.new(user_params)
      @user.password_confirmation = params[:confirm_password]
      @user.password = params[:password]
    if @user.save
      render json: @user, status: :created  
    else
      render json: @user.errors, status: :unprocessable_entity
    end

   end 


    def user_params
      
      params.require(:user).permit(:username, :email, :password, :password_confirmation)
    end
    


end

I have added a before action hook in above controller, but if can make an api call to show action method , I am able to fetch a response with the authorization token,

I am not sure , what am i missing

MOin
  • 31
  • 1
  • 1
  • 8

1 Answers1

0

Probably is a problem with your SessionStore:

If you are working with a Rails application that has session storage enabled and a default Devise setup, chances are the same origin requests will be authenticated from the session regardless of a token being present in the headers or not.

https://github.com/waiting-for-dev/devise-jwt#session-storage-caveat

You can disable, if you are using API Only, with:

# config/initializers/session_store.rb
Rails.application.config.session_store :disabled
Pedro Augusto Ramalho Duarte
  • 376
  • 2
  • 10