Multiple Devise Scope Support

Question

Multiple Devise Scope Support

marclennox opened this issue 3 years ago · comments

I have multiple Devise scopes that both use devise-jwt for authentication. Because warden uses the same header for the auth token (warden-jwt_auth.token), it is not possible to be logged in with both scopes simultaneously. Is there a suggested way around this, such that the warden header is unique for each scope?

Marc Busqué · Answer 1 · Fri Apr 30 2021 11:42:55 GMT+0800 (China Standard Time)

@marclennox it should be possible to log in using either scope without issues. The token is in the request information, and its payload contains the scope that is trying to authenticate, so two different requests can authenticate two users from different scopes.

Marc Lennox · Answer 2 · Fri May 14 2021 06:44:06 GMT+0800 (China Standard Time)

@waiting-for-dev Thanks for this. As I dig deeper into this I'm getting closer to understanding what's going on, but still not there. I'll try and expand a bit on what I'm doing and what I've seen.

For context, I'm using cookies to handle the jwt authentication. As an after_action on the sessions controller, I'm setting a cookie to the value stored in request.headers['warden-jwt_auth.token']. I have 2 separate cookies, one for each of the 2 scopes I'm handling.

Each scope uses its own sessions controller, so each sets its own specific cookie post login.

I then have a custom warden strategy that reads the cookie and decodes the user.

Is request.headers['warden-jwt_auth.token'] the proper place to pull the newly created JWT?

Marc Busqué · Answer 3 · Wed May 19 2021 18:09:16 GMT+0800 (China Standard Time)

Hey @marclennox, sorry for the late response.

For context, I'm using cookies to handle the jwt authentication.

If you're using cookies, I'd say you don't need to use devise-jwt. Unless I'm missing something, you could rely on plain devise.

Is request.headers['warden-jwt_auth.token'] the proper place to pull the newly created JWT?

The token is set in env['warden-jwt_auth.token'] here

Marc Lennox · Answer 4 · Wed May 19 2021 22:23:48 GMT+0800 (China Standard Time)

I support both header-based and cookie-based auth, but perhaps I could get away just with warden-jwt? Thanks for the heads up on where the env gets set.

Marc Busqué · Answer 5 · Fri May 21 2021 17:37:46 GMT+0800 (China Standard Time)

Sure, you can do anything with only warden-jwt_auth. You have to assess whether the integration it provides with the Rails model layer helps you. If you're going to implement a super-specific workflow, it's an option to get rid of it.

Marc Busqué · Answer 6 · Thu Jun 03 2021 12:54:38 GMT+0800 (China Standard Time)

I'm going to close it, but feel free to add more comments if needed