ruby-on-railsdeviserails-apiwarden

Rails 5 API with front-end engine


I've a Rails 5 API with devise/doorkeeper perfectly working.

I've built an engine having a front-end part with all devise views. Everything works unless the flash when warden is throwing an error. I've imported manually missing modules :

# app/controllers/concerns/api_to_web_controller.rb
module ApiToWebController
  extend ActiveSupport::Concern

  included do
    include ActionController::Helpers
    include ActionController::MimeResponds
    include ActionController::Redirecting
    include ActionView::Layouts
    include ActionController::EtagWithFlash
    include ActionController::Flash
    
    respond_to :html
  end
end


# app/controllers/concerns/devise_api_to_web.rb
##
# Module to integrate Devise:
#  - helpers
#  - layout
# It also redefine `redirect_to`.
# See https://github.com/heartcombo/responders/issues/222
# for more details
module DeviseApiToWeb
  extend ActiveSupport::Concern

  included do
    layout 'secret_migration/devise'

    if respond_to?(:helper_method)
      helpers = %w[resource scope_name resource_name signed_in_resource
                   resource_class resource_params devise_mapping]
      helper_method(*helpers)
    end

    def redirect_to(options = {}, response_options = {})
      super
    end
  end
end

Here is my custom SessionController

module MyEngine
  module V1
    # Override Devise::SessionsController
    class Users::SessionsController < Devise::SessionsController
      include ::ApiToWebController
      include ::DeviseApiToWeb
    end
  end
end

I got this custom after_authentication

# config/initializers/warden.rb
Warden::Manager.after_authentication do |user, auth, _opts|
  next if user.is_ok?

  throw(:warden, :message => "User not ok, contact admin")
end

Finally, the application file

module MyApp
  class Application < 
opts = { key: '_my_app', domain: 'example.com', tld_length: 1 }
Rails::ApplicationRails.application.config.session_store :disabled
  config.session_store :cookie_store, opts
  config.middleware.use ActionDispatch::Session::CookieStore, config.session_options
  config.middleware.insert_after(ActionDispatch::Cookies, ActionDispatch::Session::CookieStore,
                                 opts)

I've been able to track the data. env[warden.options] is well filled with :message => "User not ok, contact admin" but somehow, it's not passed after the redirection.

Important point, I got flash message when it's a pure devise error like Invalid Email or password..


Solution

  • I got it. It was a middleware order issue. It has to be with the following order

    use ActionDispatch::Cookies
    use ActionDispatch::Session::CookieStore
    use ActionDispatch::Flash
    use Warden::Manager
    

    I've update my engine.rb to include the middleware at the correct place

    module MyEngine
      ##
      # Engine initializers
      class Engine < ::Rails::Engine
        isolate_namespace MyEngine
        initializer 'use action dispatch flash' do |app|
          app.config.middleware.insert_after(ActionDispatch::Session::CookieStore, ActionDispatch::Flash)
        
          app.config.middleware.use Rack::MethodOverride
        end
      end
    end
    
    # config/application.rb
    module MyApp
      class Application < Rails::Application
        # ...
        config.middleware.insert_before(Warden::Manager, ActionDispatch::Cookies)
        # ...
      end
    end
    
    # config/environments/development.rb
    Rails.application.configure do
      opts = { key: '_my_app', domain: 'lvh.me', tld_length: 2 }
      Rails.application.config.session_store :disabled
      config.session_store :cookie_store, opts
      config.middleware.insert_after(ActionDispatch::Cookies, ActionDispatch::Session::CookieStore,
                                     opts)
    end