Giters

waiting-for-dev / devise-jwt

JWT token authentication with devise and rails

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

JWT::DecodeError when a small token is used at session#destroy

cesarjr opened this issue · comments

commented

Hi!

When I send an small and invalid token to Devise's sessions#destroy it is logging this:

Started DELETE "/users/sign_out" for ::1 at 2022-02-26 16:27:16 -0300
Processing by Users::SessionsController#destroy as JSON
  Parameters: {"session"=>{}}
Filter chain halted as :verify_signed_out_user rendered or redirected
Completed 204 No Content in 1ms (ActiveRecord: 0.0ms | Allocations: 507)


  
JWT::DecodeError (Not enough or too many segments):
  
jwt (2.3.0) lib/jwt/decode.rb:82:in `validate_segment_count!'
jwt (2.3.0) lib/jwt/decode.rb:23:in `decode_segments'
jwt (2.3.0) lib/jwt.rb:28:in `decode'
warden-jwt_auth (0.6.0) lib/warden/jwt_auth/token_decoder.rb:17:in `call'
warden-jwt_auth (0.6.0) lib/warden/jwt_auth/token_revoker.rb:13:in `call'
warden-jwt_auth (0.6.0) lib/warden/jwt_auth/middleware/revocation_manager.rb:34:in `revoke_token'
warden-jwt_auth (0.6.0) lib/warden/jwt_auth/middleware/revocation_manager.rb:22:in `call'
rack (2.2.3) lib/rack/builder.rb:244:in `call'
rollbar (3.3.0) lib/rollbar/middleware/rack/builder.rb:16:in `block in call_with_rollbar'
rollbar (3.3.0) lib/rollbar.rb:145:in `scoped'
rollbar (3.3.0) lib/rollbar/middleware/rack/builder.rb:14:in `call_with_rollbar'
warden-jwt_auth (0.6.0) lib/warden/jwt_auth/middleware.rb:22:in `call'
continue...

If I do the same experience in a regular controller it process correctly and I receive a json like this:

# 401 Unauthorized
{ "error": "Not enough or too many segments" }

I tried many things before writting here, but now I don't have anything else to try.

I'd love that sessions#destroy could behave like the others regular controllers.

Does anyone have hany ideia what's my mistake?

commented

Are you using some global rescue_from in your controller?

commented

Hi @waiting-for-dev !

Only this:

    rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
    rescue_from ActiveRecord::RecordNotFound, with: :record_not_found

Should I have one for JWT::DecodeError? I thought doing it before, but this solution but it sounded to me a little bit weird 😬.

commented

Probably both requests are going through different controller's paths ("regular" through ApplicationController; sessions through Devise). You should try to spot the piece that makes that difference in behavior and probably create a minimalistic override of Devise's one. However, that's not an issue on devise-jwt, which doesn't mess with controllers in any way. I think you'll be better off asking in something like StackOverflow. Don't hesitate to reach here if you find something that points in this direction.