devise_token_auth: 0.1.43 does not return client and access-token with each response

The latest version now wipes access-token and client for subsequent API requests:

https://github.com/lynndylanhurley/devise_token_auth/blob/00fa5f4507da806f66664787745086ce404d95b4/app/controllers/devise_token_auth/concerns/set_user_by_token.rb#L18

# keep track of request duration
  def set_request_start
    @request_started_at = Time.zone.now
    @used_auth_by_token = true

    # initialize instance variables
    @client_id = nil
    @resource = nil
    @token = nil
    @is_batch_request = nil
  end

The way we had our application set up was relying on those access tokens being returned as they were in previous releases.

Why was this change added? The commit only mentions passing tests: https://github.com/lynndylanhurley/devise_token_auth/commit/bdcd05e284e7fd0774005248a3239bfc889824c4

About this issue

Original URL
State: open
Created 6 years ago
Reactions: 5
Comments: 29 (14 by maintainers)

Commits related to this issue

Only persist incoming auth headers if the 'access-token' is truthy This is a temporary (?) solution before https://github.com/lynndylanhurley/devise_token_auth/pull/703 is rolled back. Once https://... — committed to riboseinc/j-toker by ribose-jeffreylau 6 years ago
Only persist incoming auth headers if the 'access-token' is truthy This is a temporary (?) solution before https://github.com/lynndylanhurley/devise_token_auth/pull/703 is rolled back. Once https://... — committed to riboseinc/j-toker by ribose-jeffreylau 6 years ago

Most upvoted comments

Since the update was shipped the client only got a new access-token when the used access-token was expired. So even when I used the access-token 100 times in a row (batched) i get no new access-token.

When the client waits for 5 seconds (default) the next response will give me a new access-token. The Problem here is that used and expired tokens are still valid to use a last time for 2 weeks (default) instead of only 5 seconds (normally you have to use the next access-token from the response here)

Before the 1.43 update the access-token was only valid for 2 weeks when it was not used before. And the client got a new access-token for every request it makes.

This is a breaking change for sure.

Workaround for clients: if you have a client check if your request gives you an empty access-token. If its empty your old token is still valid and not expired so you can use it for the next query. When your access-token is expired, your next (and last possible query with that access-token) will give you the next valid access-token

devdudeio on May 9, 2018

As a workaround for now, we’re going to update the nil lines to the following:

def set_request_start
    @request_started_at = Time.now
    @used_auth_by_token = true

    # initialize instance variables
    @client_id ||= nil
    @resource ||= nil
    @token ||= nil
    @is_batch_request ||= nil
  end

twolfson on May 7, 2018