Gokul595 / api_guard

The resource is shared by multiple requests of the same controller.
That is because when the current_<resource> method is created, it's created for all instances of the controller, and the resource loaded by one authentication is shared to all via the closure in define_current_resource_accessors:

api_guard/lib/api_guard/jwt_auth/authentication.rb

Lines 60 to 65 in 6c7a1f7

    
           def define_current_resource_accessors(resource) 
        
             self.class.send(:define_method, "current_#{@resource_name}") do 
        
               instance_variable_get("@current_#{@resource_name}") || 
        
                 instance_variable_set("@current_#{@resource_name}", resource) 
        
             end 
        
           end

How to reproduce

Add a hook to your controller for debug(that would run before authenticate_and_set_resource):

before_action :debug_resource
def debug_resource
  puts "My resource: #{respond_to?(:current_resource) ? current_resource : nil}"
end

Then send two requests:

Send a request with a token of resource 1
Send a request with no token at all((would return 401 Unauthorized)

Result: Second request had resource 1 in current_resource

Expectation

current_resource should only contain the current request's authenticated resource, otherwise nil
current_resource shouldn't change during the execution of a request - with this bug it might, due to a race condition

Gem version:

API Guard 0.5.0(latest)

@shedokan I will take a look at this. Thanks for reporting.

@shedokan This is fixed in version 0.5.1.

	def define_current_resource_accessors(resource)
	self.class.send(:define_method, "current_#{@resource_name}") do
	instance_variable_get("@current_#{@resource_name}") \|\|
	instance_variable_set("@current_#{@resource_name}", resource)
	end
	end

Resource is shared with multiple requests(even unauthenticated ones)