devise: DisabledSessionError when using authenticate_user! api only

Pre Check

Create a new Rails 7 app rails new test_app --api
Add devise
run rails g devise:install
run rails g devise User
POST to /users and see the error stated below

Environment

Ruby 3.0.0
Rails 7.0.0
Devise 4.8.1

Current behavior

When using authenticate_user! on a controller on a rails API only app I am getting the following error: ActionDispatch::Request::Session::DisabledSessionError (Your application has sessions disabled. To write to the session you must first configure a session store):

Expected behavior

It should throw fail or success on warden depending on if the user is signed in or not.

About this issue

Original URL
State: open
Created 3 years ago
Reactions: 10
Comments: 19 (1 by maintainers)

Commits related to this issue

Delete backend as 'devise' gem has bug for api-only Rails 7.0 https://github.com/heartcombo/devise/issues/5443 — committed to EvitanRelta/cvwo-holiday-assignment by EvitanRelta 2 years ago
Fix `DisabledSessionError` from `ActionDispatch` when using `authenticate_user!` * This is a known issue reported here: https://github.com/heartcombo/devise/issues/5443 * There's also an open PR ... — committed to wyeworks/finder by juanarias93 10 months ago

Most upvoted comments

I understand that Devise relies heavily on warden etc which rely on sessions, or a fake version of it at least. Thus, we’ve circumvented this by creating this concern/module that we have included in the relevant Devise-related controllers in our app:

module RackSessionFixController
  extend ActiveSupport::Concern

  class FakeRackSession < Hash
    def enabled?
      false
    end
  end

  included do
    before_action :set_fake_rack_session_for_devise
    
    private

    def set_fake_rack_session_for_devise
      request.env['rack.session'] ||= FakeRackSession.new
    end
  end
end

if the devise maintainers like it, we (AKA me or my team) can integrate this into Devise itself (E.g. allowing that logic to happen when API-mode is enabled) and expand the testsuite accordingly.

@carlosantoniodasilva WDYT ?

+12

morenocarullo on Jan 11, 2022

No news 😃, but thanks for putting it into my radar again, I’ll try to take a better look at the problem and the proposed solution(s) here. Thanks.

carlosantoniodasilva on Mar 2, 2023

FYI, I am preparing a PR for this issue. To begin with, we’ll have a fork with the fix applied which is slightly better than the module-drop-in there, but I really want to make it upstream into the official branch.

morenocarullo on Feb 25, 2022

@NfoCipher I was waiting for an OK here to create the PR. BUT, since I got no answer … I’ll create the PR so that at least people can have a branch to point to, and will push to make it merged…

morenocarullo on Feb 15, 2022

@arpu you need to drop that module I wrote in my earlier comment and include it in the SessionControllers. If @carlosantoniodasilva or other maintainer can suggest their acceptance, I can for sure make it included in devise itself so that it’s automatic.

morenocarullo on Jan 24, 2022

In case this helps someone, you’ll also need to pass in store: false for logging in.

This needs to be added to the controller inherited from Devise::SessionsController

  def auth_options
    super.merge({store: false})
  end

styliii on Dec 14, 2022

This: https://github.com/waiting-for-dev/devise-jwt/issues/235#issuecomment-1116864740 also seems to work.

NfoCipher on Jun 18, 2022