wardencommunity/warden

Warden::Strategies::Base#authenticate! documentation is ambiguous

alan-pie opened this issue · 5 comments

alan-pie commented

There is an issue with the devise-doorkeeper gem that causes the warden.authenticate call to throw when an invalid token is passed.

Devise::Controllers::Helpers#user_signed_in? calls Warden::Proxy#authenticate which ultimately calls Devise::Doorkeeper::Strategies::Doorkeeper#authenticate! which throws if a given token is invalid.

I believe the intent behind user_signed_in? and the Warden::Proxy#authenticate are to be passive auth checks and should not throw. I'm not sure if this is a problem with the implementation of the Strategy or with the implementation of Warden::Proxy#run_strategies_for. I notice that the Strategies wiki does not mention using throw :warden but the Failures wiki does. The documentation on Warden::Strategies::Base is ambiguous.

Does Warden expect that a Strategy's authenticate! method should throw in this case? If it does expect that shouldn't authenticate handle that to ensure the check is passive? If not, I can update the documentation.

ittsel-ali commented

@alan-pie were you able to find the solution for this issue?

alan-pie commented

No, unfortunately not. Both projects seem dead.

jsmestad commented

Warden is stable. I wouldn't mistake that for dead. If we have a test case that proves a change will not break downstream dependencies, we will take the patch.

alan-pie commented