Using:
- Rails 7.1 (with API mode)
- devise 4.9.3
- postman for the following tests
First, I logged in with user A with email and password. I got what were expected.
But next, I try to login with user B with its email and password, and I got
- 201 status
- user A's info (wrong one, it should be B's)
- user A's session_id in cookies (wrong one, it should be B's)
When I insert a break point before warden.authenticate!(auth_options) in sessions#create and send the request with B's login info, I can already get the previous authenticated user A by warden.user.
Even postman will bring A's session_id with B's login info to the server, I should not get A's info. Can anyone please point me out any setting or point I need to pay attention to? Thanks
settings:
config/application.rb
module Api
class Application < Rails::Application
config.load_defaults 7.1
config.autoload_lib(ignore: %w(assets tasks))
config.api_only = true
config.session_store :active_record_store, key: '_session_id'
config.middleware.use Rack::MethodOverride
config.middleware.use ActionDispatch::Cookies
config.middleware.use config.session_store, config.session_options
end
end
initializers/devise.rb
Devise.setup do |config|
config.mailer_sender = '[email protected]'
require 'devise/orm/active_record'
config.case_insensitive_keys = [:email]
config.strip_whitespace_keys = [:email]
config.skip_session_storage = [:http_auth]
config.stretches = Rails.env.test? ? 1 : 12
config.reconfirmable = true
config.expire_all_remember_me_on_sign_out = true
config.password_length = 6..128
config.email_regexp = /\A[^@\s]+@[^@\s]+\z/
config.reset_password_within = 6.hours
config.navigational_formats = []
config.sign_out_via = :delete
config.responder.error_status = :unprocessable_entity
config.responder.redirect_status = :see_other
end