Rodauth::Rails.authenticated does not protect the page in some cases

[Halvanhelv]

Hi! @janko I am still actively implementing rodauth-rails and am happy with it but a question has arisen

I have encountered a situation where I am using Rodauth::Rails.authenticated in the routes.rb file to secure routes that require user authentication. However, I have found that when closing the user account via the console and then attempting to log in to the protected page, Rodauth::Rails.authenticated approves the request. This causes an error of not having a current_account, as most secure pages require one.

That said, if I navigated to an unsecured page and then tried to log back into the secured page,Rodauth::Rails.authenticatedworked correctly, redirecting me to the login page.

After examining the source code of Rodauth::Rails.authenticated, I concluded that the problem was probably related to session cookies.

To solve this problem, I plugged in the active_sessions functionality, expecting that deleting all active_sessions entries from a closed account would solve the problem. But this approach did not bring the desired result. I even tested the functionality of active_sessions for the active account: I logged into the account through several browsers and deleted the active_sessions records of this account. However, this had no effect on the authorization state, which raised additional questions: how does the "logout from all devices" feature work if deleting active_sessions has no effect on the authorization state?

Maybe I am missing some important aspects? Could you please help me to understand this situation?

Thank you!

[janko]

The Rodauth::Rails.authenticated constraint calls rodauth.require_authentication, which will not check whether the account exists in the database. I might change it to call rodauth.require_account in the next major version, as that's what I'm recommending in the docs, since most Rails devs are fine with retrieving the account record on each request (that's what Devise does). You can have that now with Rodauth::Rails.authenticated(&:rails_account), which also checks the presence of the account.

As for active_sessions, that's what's generally recommended if you want to be able to delete accounts from the console, and have the app handle that. For Rodauth to actually do the checking of whether the current session is active, you need to call rodauth.check_active_session at the top of your Rodauth app's route block. Are you doing that?

# app/misc/rodauth_app.rb
class RodauthApp < Rodauth::Rails::App
  route do |r|
    rodauth.check_active_session
    r.rodauth
  end
end

[Halvanhelv]

Yes, I forgot to write that I tried something like Rodauth::Rails.authenticated(&:rails_account) but since the additional conditions passed in this way are checked only after checking for a session where a redirect is possible, the additional condition will not trigger a redirect to the /login page but will return 404

[janko]

Oh, right, in this case a custom constraint where you call require_account should fix it:

constraints -> (r) { r.env["rodauth"].require_account } do
  # ...
end

The require_account method will actually clear the session and redirect to login page if the account doesn't exist.

[Halvanhelv]

Unfortunately because of require_account_session which is called from require_account and contains:

      unless account_from_session
        clear_session
        login_required
      end

returns nil and accordingly even if I am logged in I cannot access the protected page.

[janko]

Ah, yes, my tired brain thought unless account_from_session ... end will return the value of the condition if truthy 🤦🏻‍♂️ Then you'll need multiple statements:

constraints -> (r) { r.env["rodauth"].require_account; r.env["rodauth"].authenticated? } do
  # ...
end

In the next release, I plan to add a new Rodauth::Rails.authenticate constraint that calls rodauth.require_account and deprecate Rodauth::Rails.authenticated. The former name is IMO better anyway, because it communicates that it will require authentication, while the latter sounds like it will only check whether the user is authenticated, otherwise it will not route the request (like Devise's authenticated behaves).

[Halvanhelv]

In fact, both require_account_session and require_authentication return nil

[Halvanhelv]

Yes, it works now, thanks for your hard work, will keep an eye out for updates

[Halvanhelv]

Oh, I guess I rushed into it.

invalid account id passed to account_ds.

if i try to access a closed page😔

This is due to account_from_session

    unless account_from_session
       clear_session
       login_required
     end

[janko]

This error means account_from_session was called when there was no account ID in the session data. I'm not sure how this happened, because that means the user was not logged in, so require_authentication that's called before require_account_session should have redirected to the login page, and require_account_session should not have been called.

I tried this now in the official demo app with active_sessions feature disabled, and I got a clean login required redirect after closing the account from the console. So, I'm not able to reproduce this.

RodauthApp.rodauth.configure { enable :internal_request }
RodauthApp.rodauth.allocate.post_configure
RodauthApp.rodauth.close_account(account_login: "[email protected]")

Could you create a minimal Rails app demonstrating the issue, so that I can take a look at it?