Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Batch Requests Respond with Original Auth Token #17

Closed
seckenrode opened this issue Aug 22, 2014 · 3 comments
Closed

Batch Requests Respond with Original Auth Token #17

seckenrode opened this issue Aug 22, 2014 · 3 comments

Comments

@seckenrode
Copy link

I've noticed some strange behavior with batch requests that is causing parallel requests to return outdated auth tokens in the response. Essentially the situation is as follows:

  1. Request R1 is made with auth token (1)
  2. Request R2 is made in parallel with the same auth token (1)
  3. Response to R1 creates a new auth token (2) and returns it in the response
  4. Response to R2 is flagged as a batch request but returns the original auth token (1) in its response header

Changing the batch request tests to start with a clean token by adding age_token at the start of the begin at line 153 of demo_controller_test.rb causes reproducible test failures because the responses do not include the same response header.

On its face, this seems due to the fact that extending the batch buffer actually does just return the auth token that was sent with the request as the response headers (https://github.com/lynndylanhurley/devise_token_auth/blob/master/app/models/devise_token_auth/concerns/user.rb#L132)

I'm working on my own angular consumer of this gem and am wondering if I need to be accounting for this behavior on the frontend or if this is behavior that is unexpected.
@seckenrode
Copy link
Author

I did some playing around in the example angular consumer at (http://ng-token-auth-demo.herokuapp.com/) and noticed that it has the same behavior. It occurs nondeterministically depending on whether or not the first request or the second request responds first.

I added some simple request and response token dumping via Chrome dev tools. After logging in, I hit the "Multiple Parallel Requests" button, saw that the original auth token was returned back, and then attempted to make a single request. That request failed because it used the old token (xZw...) and not the updated token (n8h..) for the third request.

// Multiple Parallel Requests
Request Token: xZwJnfZGIvaCZplMR039pg main-598e8c9b.js:1294
Request Token: xZwJnfZGIvaCZplMR039pg main-598e8c9b.js:1294
Response Token: n8h0WUl-wV8-Cj_401lcAQ main-598e8c9b.js:1311
Response Token: xZwJnfZGIvaCZplMR039pg main-598e8c9b.js:1311

// Single request after this request
Request Token: xZwJnfZGIvaCZplMR039pg main-598e8c9b.js:1294
GET http://devise-token-auth-demo.herokuapp.com/demo/members_only 401 (Unauthorized)

@lynndylanhurley
Copy link
Owner

Thanks @seckenrode, I'll investigate this immediately.

@lynndylanhurley
Copy link
Owner

@seckenrode - This seems to have been fixed in the demo.

Please check out version 0.1.26.beta3 and let me know if this has been resolved for you as well.

@lynndylanhurley lynndylanhurley mentioned this issue Oct 24, 2014
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lynndylanhurley @seckenrode