Devise-jwt unable to find active session after 2nd login

Question

I'm working on creating an API app only (no views). I've installed Devise and the Devise-JWT Gem for authentication https://github.com/waiting-for-dev/devise-jwt. When running the server locally I can signup and an active session can be found that gives me my users/1 endpoint "show" OR if I seeded the database I can sign in once and have an active session found.

After I log out and log in again and make a GET request on the User show method it comes back with an error and if I log out then an error states that an active session is not found.

`

class Users::SessionsController < Devise::SessionsController
  respond_to :json

  private

  def respond_with(resource, _opts = {})
    render json: {
      status: { code: 200, message: 'Logged in sucessfully.' },
      data: UserSerializer.new(resource).serializable_hash[:data][:attributes]
    }, status: :ok
  end


  def respond_to_on_destroy
    if current_user
      render json: {
        status: 200,
        message: 'logged out successfully'
      }, status: :ok
    else
      render json: {
        status: 401,
        message: "Couldn't find an active session."
      }, status: :unauthorized
    end
  end
end

`

`

class Users::RegistrationsController < Devise::RegistrationsController
  respond_to :json

  private

  def respond_with(resource, _opts = {})
    if resource.persisted?
      render json: {
        status: { code: 200, message: 'Signed up sucessfully.' },
        data: UserSerializer.new(resource).serializable_hash[:data][:attributes]
      }
    else
      render json: {
        status: { message: "User couldn't be created successfully. #{resource.errors.full_messages.to_sentence}" }
      }, status: :unprocessable_entity
    end
  end
end

`

A link to my feature branch is here here https://github.com/AKeeganDev/client_relationship_manager_back_end/tree/api-endpoints

Forgive me if I have not provided enough info. I am new to rails, ruby, and JWT. This is also my first post. I did my best to google this over days and search this site, but I have yet to find a solution to what I've done wrong and why. Thank you!

I've tried removing/altering the protect_from_forgery line and adjusting the ApplicationController

`

class ApplicationController < ActionController::Base
  protect_from_forgery except: :sign_in
  before_action :configure_permitted_parameters, if: :devise_controller?

  respond_to :json

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.permit(:sign_up, keys: %i[username name])
  end
end

`

removing protect from forgery adds more issues regarding csrf authenticity.

A new Bearer Token and jti token is created in the database and sent in the fetch header every time, but for some reason only the very first bearer token works and never any of the tokens that are made after the first session is terminated.

Answer 1

I fixed the issue. I had a line that included the JTI MATCHER as my revocation strategy. By changing it appropriately to DenyList I was able to log in and log out freely again after the first session.

My User Model now looks like this

class User < ApplicationRecord
  # Include default devise modules. Others available are:
  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
  include Devise::JWT::RevocationStrategies::Denylist

  devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :validatable,
         :jwt_authenticatable, jwt_revocation_strategy: JwtDenylist

  has_many :contacts, dependent: :delete_all
  has_many :logs, through: :contacts

  validates :name, :username, presence: true, length: { minimum: 1 }

  def first_five_contacts
    contacts.order(created_at: :desc).limit(5)
  end
end