Resource is shared with multiple requests(even unauthenticated ones)
shedokan opened this issue · comments
The resource is shared by multiple requests of the same controller.
That is because when the current_<resource>
method is created, it's created for all instances of the controller, and the resource
loaded by one authentication is shared to all via the closure in define_current_resource_accessors
:
api_guard/lib/api_guard/jwt_auth/authentication.rb
Lines 60 to 65 in 6c7a1f7
How to reproduce
Add a hook to your controller for debug(that would run before authenticate_and_set_resource
):
before_action :debug_resource
def debug_resource
puts "My resource: #{respond_to?(:current_resource) ? current_resource : nil}"
end
Then send two requests:
- Send a request with a token of resource 1
- Send a request with no token at all((would return
401 Unauthorized
)
Result: Second request had resource 1 in current_resource
Expectation
current_resource
should only contain the current request's authenticated resource, otherwisenil
current_resource
shouldn't change during the execution of a request - with this bug it might, due to a race condition
Gem version:
- API Guard 0.5.0(latest)
@shedokan I will take a look at this. Thanks for reporting.
@shedokan This is fixed in version 0.5.1.