Merge pull request #531 from streamatica/check-token-existence-in-aft…

…er-action

Avoid sending auth headers if while processing used token is cleared

app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -74,6 +74,10 @@ def update_auth_header
     @client_id = nil unless @used_auth_by_token
 
     if @used_auth_by_token and not DeviseTokenAuth.change_headers_on_each_request
+      # should not append auth header if @resource related token was
+      # cleared by sign out in the meantime
+      return if @resource.reload.tokens[@client_id].nil?
+
       auth_header = @resource.build_auth_header(@token, @client_id)
 
       # update the response header
@@ -84,6 +88,9 @@ def update_auth_header
       # Lock the user record during any auth_header updates to ensure
       # we don't have write contention from multiple threads
       @resource.with_lock do
+        # should not append auth header if @resource related token was
+        # cleared by sign out in the meantime
+        return if @used_auth_by_token && @resource.tokens[@client_id].nil?
 
         # determine batch request status after request processing, in case
         # another processes has updated it during that processing

test/controllers/demo_user_controller_test.rb

@@ -321,11 +321,40 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
             get '/demo/members_only', {}, @old_auth_headers
             assert 401, response.status
           end
-          
+
         end
 
       end
 
+      describe 'request including destroy of token' do
+        describe 'when change_headers_on_each_request is set to false' do
+          before do
+            DeviseTokenAuth.change_headers_on_each_request = false
+            age_token(@resource, @client_id)
+
+            get '/demo/members_only_remove_token', {}, @auth_headers
+          end
+
+          after do
+            DeviseTokenAuth.change_headers_on_each_request = true
+          end
+
+          it 'should not return auth-headers' do
+            refute response.headers['access-token']
+          end
+        end
+
+        describe 'when change_headers_on_each_request is set to true' do
+          before do
+            age_token(@resource, @client_id)
+            get '/demo/members_only_remove_token', {}, @auth_headers
+          end
+
+          it 'should not return auth-headers' do
+            refute response.headers['access-token']
+          end
+        end
+      end
     end
 
     describe 'enable_standard_devise_support' do
@@ -364,8 +393,8 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
           it 'should not define current_mang' do
             refute_equal @resource, @controller.current_mang
           end
-		  
-		  
+
+
           it 'should increase the number of tokens by a factor of 2 up to 11' do
             @first_token = @resource.tokens.keys.first
 
@@ -459,6 +488,5 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
       end
 
     end
-
   end
 end

test/dummy/app/controllers/demo_user_controller.rb

@@ -9,4 +9,17 @@ def members_only
       }
     }, status: 200
   end
+
+  def members_only_remove_token
+    u = User.find(current_user.id)
+    u.tokens = {}
+    u.save!
+
+    render json: {
+      data: {
+        message: "Welcome #{current_user.name}",
+        user: current_user
+      }
+    }, status: 200
+  end
 end

test/dummy/config/routes.rb

@@ -56,6 +56,8 @@
 
   # this route will authorize visitors using the User class
   get 'demo/members_only', to: 'demo_user#members_only'
+  get 'demo/members_only_remove_token', to: 'demo_user#members_only_remove_token'
+
 
   # routes within this block will authorize visitors using the Mang class
   get 'demo/members_only_mang', to: 'demo_mang#members_only'