Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User can not be loaded from other_sources when session expires in current request #89

Closed
infernalmaster opened this issue Oct 29, 2017 · 2 comments
Closed

User can not be loaded from other_sources when session expires in current request #89

infernalmaster opened this issue Oct 29, 2017 · 2 comments

Comments

@infernalmaster
Copy link
Contributor

I'm using such submodules:

[:remember_me, :reset_password, :user_activation, :brute_force_protection, :session_timeout, :activity_logging]

I logged in with remember_me option. And leaved tab opened for more that 1 hour. Then I reloaded page and was redirected to login page. Then I reloaded page again and I was logged in. So I started digging code and found this:

sorcery/lib/sorcery/controller/submodules/session_timeout.rb

Line 38 in 4e3fcdb

def validate_session 

        base.prepend_before_action :validate_session

          def validate_session
            session_to_use = Config.session_timeout_from_last_action ? session[:last_action_time] : session[:login_time]
            if session_to_use && sorcery_session_expired?(session_to_use.to_time)
              reset_sorcery_session
              # USER IS DEFINED THERE
              @current_user = nil     
            else
              session[:last_action_time] = Time.now.in_time_zone
            end
          end

sorcery/lib/sorcery/controller.rb

Line 82 in a873231

def current_user 

      def current_user
        unless defined?(@current_user)
          # USER IS DEFINED SO THIS WILL BE SKIPPED IN CURRENT REQUEST
          @current_user = login_from_session || login_from_other_sources || nil
        end
        @current_user
      end

So maybe remove_instance_variable :@current_user if defined? @current_user will be better option. And IMHO this should be done everywhere where user is settled to nil.

And also I found this place. I don't understand the reason of that ELSE block:

sorcery/lib/sorcery/controller/submodules/remember_me.rb

Line 70 in 4e3fcdb

@current_user = false

@Ch4s3
Copy link
Contributor

Ch4s3 commented Nov 28, 2017

would you be willing to submit a quick PR for this @infernalmaster?

infernalmaster added a commit to infernalmaster/sorcery that referenced this issue Nov 28, 2017
@infernalmaster
Allow user to be loaded from other source when session expires. fix S…
46aefce 
…orcery#89
@infernalmaster
Copy link
Contributor Author

I'm not very satisfied with my PR, because I think that check defined?(@current_user) inside current_user method is not very obvious solution. I would better rewrite that logic but I don't have enogh time to do it right and don't want to break something

@Ch4s3 Ch4s3 mentioned this issue Nov 28, 2017
Merged
@Ch4s3 Ch4s3 closed this as completed in 3206288 Nov 28, 2017
ebihara99999 pushed a commit to ebihara99999/sorcery that referenced this issue Mar 10, 2018
@infernalmaster @ebihara99999
Allow user to be loaded from other source when session expires. fix S…
3a8632e 
…orcery#89 (Sorcery#94)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@infernalmaster @Ch4s3