Sign out doubt
Closed this issue · 3 comments
When you wrote at the end of the article that we couldn't logout anymore using the current_api_key because we could not see them anymore. What do you mean? Because one of the changes you did was making the destroy use :authenticate_with_api_key! Which means it goes through the code that sets the current_api_key, so which is the problem in using the same current_api_key&.destroy! ?
Love the article by the way!
Thanks for the kind words! I guess the post may be worded a bit weirdly — the original way of revoking an API key works, but only if you currently have that API key. If you don't know the API key, then there's no way to revoke old keys, since the token can't be read and can't be used in the Authorization header. This is problematic, for example, when an API key is compromised or lost and needs to be revoked.
Before, you could simply list the user's API keys and then revoke any API key using the key's token value. This doesn't work after the change. So tokens are now revoked by ID, since that is able to be obtained via listing the user's API keys.
Well you deserve them, very few people talk about this kinda topics and I'm glad I saw your post.
So in the regular scenario, lets say a Vue.js Frontend that stores the key in the localstorage, if the localstorage gets emptied and the api_key get's lost and the user needs to log in again, we would be leaving the previous token orphan, but if we implement an AUD claim (saw the concept on devise-jwt) which is identifying the devise and browser from where the login happened if its the same devise you can just delete the previous one and keep the new one, for example.
Nice Blog ! Thanks for sharing !