Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Seeing other users data on logout and login #932

Closed
lorenzsell opened this issue Jul 26, 2017 · 3 comments
Closed

Seeing other users data on logout and login #932

lorenzsell opened this issue Jul 26, 2017 · 3 comments
Labels
close-in-7-days

Comments

@lorenzsell
Copy link

I'm seeing a very similar issue to #375. I'm using devise token auth (0.1.42) with a react native front end side by side with devise on the web. Everything works great with Devise and everything works great with Devise Token Auth until I tried logging out and logging in with a new account. Then the data from the previously logged in account shows. I've tried overriding the session controller with:

module DeviseTokenAuthOverrides
  class SessionsController < DeviseTokenAuth::SessionsController
    protect_from_forgery except: [:create, :destroy]
  end
end

That hasn't made a difference. The user logs in and it finds the right account:

5:30:54 web.1       |  Started POST "/api/v1/auth/sign_in" for 127.0.0.1 at 2017-07-26 15:30:54 -0400
15:30:54 web.1       |     (2.2ms)  SELECT "schema_migrations"."version" FROM "schema_migrations" ORDER BY "schema_migrations"."version" ASC
15:30:54 web.1       |  Processing by DeviseTokenAuthOverrides::SessionsController#create as JSON
15:30:54 web.1       |    Parameters: {"email"=>"[email protected]", "password"=>"[FILTERED]", "session"=>{"email"=>"[email protected]", "password"=>"[FILTERED]"}}
15:30:54 web.1       |  Unpermitted parameters: :format, :session
15:30:54 web.1       |  Unpermitted parameters: :format, :session
15:30:54 web.1       |    User Load (2.8ms)  SELECT  "users".* FROM "users" WHERE (email = '[email protected]' AND provider='email') ORDER BY "users"."id" ASC LIMIT $1  [["LIMIT", 1]]
15:30:54 web.1       |  Unpermitted parameters: :format, :session
15:30:54 web.1       |  Unpermitted parameters: :format, :session
15:30:54 web.1       |     (0.2ms)  BEGIN
15:30:54 web.1       |    User Exists (0.9ms)  SELECT  1 AS one FROM "users" WHERE "users"."username" = $1 AND ("users"."id" != $2) LIMIT $3  [["username", "lorenzsell"], ["id", 1], ["LIMIT", 1]]

It updates the token:

15:30:55 web.1       |    SQL (1.0ms)  UPDATE "users" SET "tokens" = $1, "updated_at" = $2 WHERE "users"."id" = $3  [["tokens", "{\"vBoF-lps1PSIjD6k9Ac8lg\":{\"token\":\"$2a$10$PM.M5MBN4WpOHL9j3L4xo.PmDjQEHLpCUrXyH.1RhG0lcy.7wiqTy\",\"expiry\":4656771054}}"], ["updated_at", "2017-07-26 19:30:55.030061"], ["id", 1]]

And then at some point it just switches the the previously logged in user:

15:30:55 web.1       |    SQL (0.7ms)  UPDATE "sessions" SET "data" = $1, "updated_at" = $2 WHERE "sessions"."id" = $3  [["data", "BAh7B0kiGXdhcmRlbi51c2VyLnVzZXIua2V5BjoGRVRbB1sGaQGKSSIiJDJh\nJDEwJGtTQUZaSzFaOGFxSXlIcDAuN01CUC4GOwBUSSIRcHJldmlvdXNfdXJs\nBjsARkkiGS9hcGkvdjEvYXV0aC9zaWduX2luBjsAVA==\n"], ["updated_at", "2017-07-26 19:30:55.452004"], ["id", 4500]]
15:30:55 web.1       |     (0.4ms)  COMMIT
15:30:55 web.1       |  Started GET "/api/v1/user" for 127.0.0.1 at 2017-07-26 15:30:55 -0400
15:30:55 web.1       |  Started GET "/api/v1/list_user_communities" for 127.0.0.1 at 2017-07-26 15:30:55 -0400
15:30:55 web.1       |  Processing by Api::V1::UsersController#show as JSON
15:30:55 web.1       |    User Load (0.6ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = $1 ORDER BY "users"."id" ASC LIMIT $2  [["id", 138], ["LIMIT", 1]]
15:30:56 web.1       |     (18.1ms)  SELECT "schema_migrations"."version" FROM "schema_migrations" ORDER BY "schema_migrations"."version" ASC
15:30:56 web.1       |     (0.3ms)  BEGIN
15:30:56 web.1       |    User Exists (0.6ms)  SELECT  1 AS one FROM "users" WHERE "users"."username" = $1 AND ("users"."id" != $2) LIMIT $3  [["username", "lorenzsupermobile"], ["id", 138], ["LIMIT", 1]]

I've tried deleting all the tokens and erasing all data on the react native app and that actually does not fix the issue. I have to restart my computer and log in with a different account that then becomes the primary account and the problem repeats. Is this some sort of cookie issue? I'm very stuck here. Any direction would be super helpful. Thank you.
@zachfeldman
Copy link
Contributor

Hey @lorenzsell , could you possible setup a test repo somewhere that replicates this behavior? That would make it much easier for others to debug! Otherwise we'll close this in 7 days if we don't hear from ya - we're trying to clean up the repo (if you need more time, totally let us know, that's not a problem).

@lorenzsell
Copy link
Author

I think I've figured this out. I wasn't properly making a call to "auth/sign_out" to delete the session on the server. Thank you.

@zachfeldman
Copy link
Contributor

Ah good to know! Thanks for letting us know how to solve it if someone else has this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
close-in-7-days
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lorenzsell @zachfeldman