How to Avoid Session storage caveat

Question

How to Avoid Session storage caveat

pribadi1st opened this issue 2 years ago · comments

Hi, i want to ask how to avoid the session storage caveat,
i'm building two different project and i use Rails purely for API only. (rails new new-project --api).

i tried following disable session storage caveat section but no result.

Expected behavior

i want my postman to return an 401 error when there is no authorization header

Actual behavior

I use postman to test /current_user without Authorization header, the result is 'success'

Marc Busqué · Answer 1 · Wed May 25 2022 22:53:56 GMT+0800 (China Standard Time)

Hey! If you're using --api flag, then your session is disabled, so you're not affected by the caveat.

If the token is not present, the JWT strategy will be skipped from the warden cascade. See https://github.com/waiting-for-dev/warden-jwt_auth/blob/09c78d747cab802180e4d93a14cc33cf313e27d0/lib/warden/jwt_auth/strategy.rb#L11 and also https://github.com/wardencommunity/warden/wiki/Strategies for details on how Warden works.

pribadi1st · Answer 2 · Fri May 27 2022 16:17:57 GMT+0800 (China Standard Time)

hi, I'm sorry if I ask too much, I'm still new to rails.
so based on my understanding, if I want to check if the header has authorization or not, do I have to fiddle with the warden's strategies?

Marc Busqué · Answer 3 · Fri May 27 2022 16:58:13 GMT+0800 (China Standard Time)

Hey @pribadi1st, no worries for the asking.

Why do you need to directly check whether the header is present? This should be done transparently by devise-jwt as part of its strategy for warden.

pribadi1st · Answer 4 · Tue May 31 2022 15:48:46 GMT+0800 (China Standard Time)

oh yes, it was part of my mistake, i will close this issue. thank you for the reply