Devise: Why does 'sign_in user, store: false' update the user's record for every call

Created on 27 Jul 2017  路  3Comments  路  Source: heartcombo/devise

I call 'sign_in user, store: false' to authenticate my API user with a Rails before_action filter (see code below).

Each tilme the sign_in is run, I get

   (0.6ms)  BEGIN
  SQL (0.6ms)  UPDATE "users" SET "last_sign_in_at" = $1, "current_sign_in_at" = $2, "sign_in_count" = $3, "updated_at" = $4 WHERE "users"."id" = $5  [["last_sign_in_at", "2017-07-27 09:09:06.067590"], ["current_sign_in_at", "2017-07-27 09:09:34.154942"], ["sign_in_count", 867], ["updated_at", "2017-07-27 09:09:34.175068"], ["id", 1]]
   (4.2ms)  COMMIT

Even though I DID set store to false.

  • Is this the expected behavior ?
  • Is this a wrong way to go to authenticate API user in an application that has a plain HTML interface PLUS an API interface.
   ...
    def authenticate_user_from_token!
      if request.headers["HTTP_X_API_TOKEN"]
        @token = JSON.parse(request.headers["HTTP_X_API_TOKEN"])
        logger.debug("api_token: #{@token}")

        if !@token['api_token'] || !@token['api_subject']
         render json: {
           error: "missing token or subject key"
         }, status: :unauthorized
        else
          email = @token['api_subject']
          token = @token['api_token']

          user = User.find_by_email(email)
          if user && Devise.secure_compare(user.authentication_token, token)
            sign_in user, store: false                                                                                                                                                                                                                                          
          end 
        end 
      else
         render json: {
           error: "missing token"
         }, status: :unauthorized
      end 
    end
picture HerbertKoelman

Most helpful comment

I encountered the same where store: false has no effect.

Overriding update_tracked_fields! in User model resolved it:

def update_tracked_fields!(request)
end

Update:
Another solution might be better by skipping trackable module updates in the controller level:

class Api::BaseController < ApplicationController
  before_filter :skip_trackable
  before_filter :authenticate_user!

  def skip_trackable
    request.env['devise.skip_trackable'] = true
  end
end
picture abarrak on 21 Aug 2017
👍3

All 3 comments

I encountered the same where store: false has no effect.

Overriding update_tracked_fields! in User model resolved it:

def update_tracked_fields!(request)
end

Update:
Another solution might be better by skipping trackable module updates in the controller level:

class Api::BaseController < ApplicationController
  before_filter :skip_trackable
  before_filter :authenticate_user!

  def skip_trackable
    request.env['devise.skip_trackable'] = true
  end
end
abarrak picture abarrak on 21 Aug 2017
👍3

Thanks @abarrak for this tip, I'm sorry to have missed your answer until now. I will try this out soon.

HerbertKoelman picture HerbertKoelman on 8 Oct 2017

The store: false is an option for warden to not create a session. The update you are pointing out is, as @abarrak pointed out, coming from the trackable module which, as the name suggests, tracks user logins. This is all working as intended.

cross-p6 picture cross-p6 on 30 Nov 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

yovasx2 picture yovasx2  路  4Comments
cheung-chifung picture cheung-chifung  路  4Comments
mikeki picture mikeki  路  4Comments
edipox picture edipox  路  4Comments
Gorchel picture Gorchel  路  3Comments