-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
concurent use of logging, via password and passwordless, missed case #42
Comments
What do your routes look like? Annoyingly there does need to be separate paths for password vs passwordless logins because they use different SessionsControllers. In the spec you mentioned and in the README it's done like this: devise-passwordless/spec/dummy_app_config/shared_source/all/config/routes.rb Lines 34 to 41 in adc78bb
That spec runs on every commit, and it does pass. You can test locally with https://github.com/nektos/act |
ok thank you... I guess it will be something about my current setup then..
so I'll try with 2 définitions of devise_for in routes.rb. What I didn't get is how, by declaring 2 routing paths for the 2 separate sign in strategy, it will help prevent this bug from happening. |
I could not identify the problem but it might be because of my custom implementation. It still does not work with a custom namespace but anyway, I managed to find a solution go around this problem. I guess I can close the issue |
Sorry kinda slammed at the moment but would like to look into this later to make this work for your use case better. Not sure when I'll be able to dig in more, possibly next week |
Thank you, at the moment, as a workaround, guest user have a long password and cannot reset it, and customer users won't have access to passwordless login via UI, even if they find the api endpoint to send the mail, we think it's not a huge problem |
Allow combined use of database authentication and magic link authentication with dynamic activation of each strategy. Disabling magic link for a given user should not invalidate a session opened with another strategy.
I encountered the same issue as loicginoux, who had the correct analysis: when activating both database_authenticable and magic_link_authenticatable and making active_for_magic_link_authentication? return false on the User model made password authentication inoperable, because the warden hook does reset the session when active_for_magic_link_authentication? returns false without testing the actual source of successful authentication. I published pull request #47 as an attempt to fix the issue by testing the winning strategy in the after_set_user hook. I also added a test case to cover this scenario. I am not especially familiar with the inner workings of Devise and Warden, so not totally sure my approach here is correct; for now at least I have not observed any negative side effects, and I do not think the fix should affect existing setups. |
@tbelliard Thanks very much for digging in and providing the fix! Fantastic work. I have merged it. @loicginoux Merging the PR seems to have auto-closed the issue, however if you feel this didn't resolve your problem feel free to reopen. I appreciate you reporting this issue. |
Hello,
I see you recently fixed this issue #13
In my case it seems like there is a missing case in which the current implementation does not seem to work.
I have a model User, with 2 roles (guest and customer).
I want user with role guest to be able to login only via passwordless strategy
I want user with role customer to be able to login only via password strategy
I tried with something like this:
but it seems like when I sign in with a customer user, and a valid password, the callback defined in
devise-passwordless-1.0.1/lib/devise/hooks/magic_link_authenticatable.rb
on
after_set_user
it will tryuser.active_for_magic_link_authentication?
and will return false.I will then have an error response like "you are not a guest user" (my custom message coming from
magic_link_inactive_message
).Is there something I missed or it's not possible to use both strategy conditionnally on the same resource ?
I think you miss a case in your specs https://github.com/abevoelker/devise-passwordless/blob/adc78bb90d6fee55490bb712a0a373c056ce190b/spec/dummy_app_config/shared_source/all/spec/system/combined_user/sign_in_spec.rb
I would say this should pass and it does not currently.
version used: v1.0.1
The text was updated successfully, but these errors were encountered: