DELETE /users/sign_out returns 204 without any JWT in request

[christophweegen]

When i make a DELETE /users/sign_out request without any or with an already revoked JWT in the header, i get a 204 No-Content response.

This is the same status code i get, when i sign out a user with a valid token.

Is this intended behavior?

Shouldn't it return a 400 Bad Request or similar, when trying to sign out without any token or with an already revoked one?

Returning a 204 in either case could lead to the false assumption that the user is logged out / the JWT is invalid from now on, when actually none of that actually happened and could be dangerous if you still have a valid JWT in the browser.

For example if the developer forgets to send the JWT in the header and your frontend ajax relies on the 204 code to display smth. like "Successfully signed out." it will display the message, even if you're not signed out and the token is still valid and can be reused.

One can argue it is up to the developer to make sure to include the JWT in the request. But in development there's no easy way to make sure you actually send the JWT in the request other than by making a new authenticated request again and see if it passes or constantly checking your request header.

And then you still can't be sure if you're token got revoked or be sure if you actually sent a fresh token and not a stale one, because you're always getting the same status code in any of these cases.

Additionally a 204 is in the 2xx Success range. Returning a 204 when actually nothing successfully ( regarding a sign out / revoking a token ) happened, is misleading in terms of http semantics too, if you want to be nitpicky :-)

This behavior is actually in plain devise too. Tried to make an unauthenticated sign_out request like described above to a browser based app and it returns a 204 too. If you're using devise like usual in a browser based app the problem of missing auth is not a big problem there, since the session cookie always gets send with your request automatically.

So this issue is maybe smth. for the devise issue tracker, but i don't think anyone would give it a closer look since it's only a problem in an api app. So I thought it will maybe get more resonance here.

If you think its an issue worth opening on devise, please let me know. I will open it there too then..

Thanks!

[waiting-for-dev]

Hi @christophweegen ,

I'm afraid there isn't too much we can do from our end.

Sign out action is under authentication, so if someone requests it without valid credentials (a valid JWT in our case, but it could be any authentication strategy) the response should be 401 unauthenticated.

devise-jwt doesn't extend nor monkey patch devise controllers. It just has a middleware which revokes a token if it is present in a configured request (the sign out devise request by default). So I think that if you want it to be fixed you should open an issue in devise itself. It would be nice if you cross-reference here so we can easily keep track of its evolution.

[christophweegen]

Hey @waiting-for-dev,

of course you're right. 401 makes most sense in general. Whereas a revoked token could return a 403 Forbidden too, since the user can still be authenticated by the token, but his actions are forbidden, since the token isn't valid anymore.

But whatever, these would be details. A plain 401 would suffice in general to provide feedback about the validity of the JWT.

I will open an issue under devise and post the link here.

Thanks and a nice weekend :-)

[waiting-for-dev]

Whereas a revoked token could return a 403 Forbidden too, since the user can still be authenticated by the token, but his actions are forbidden, since the token isn't valid anymore.

For now we'll continue with 401 unauthorized to keep things simple, because it is also an unauthorization as the credentials are not valid. A "revoked token" error message is currently returned so a developer can still differentiate cases if she wishes.

Going to close it and keep an eye in devise issue.

Thanks for reporting and have a nice weekend, too 😄

[christophweegen]

Thanks.. :-)

Actually i would like to contribute more to devise-jwt.

Until now i only "leeched" from open source, i have the feeling it's time for me to give smth. back too.

Since i take a lot of value from devise-jwt and want to use it in my projects on a regular base, i guess this is a good way to prove myself grateful. :-)

Some thoughts and ideas that drive me around right now:

• Additionally there was no easy and standard way for JWT auth in rails, when i researched for it, at least not as a complete auth solution like devise. So I think this is quite a gap to fill and I could provide real value by contributing, instead of reinventing the wheel on something else, since devise-jwt is already the best solution so far IMHO.

• As far as I have seen devise had once a token based auth mechanism but they removed it, so i guess they're not interested to implement a JWT auth mechanism in devise any time soon.

• Opened an issue there, that it would be quite nice if devise "flash" messages could be included in the json response, so you could emulate that functionality in your frontend for an API-only app too. The answer didn't sound very excited about this proposal, but the issue is still open and I'm waiting for another answer.

• If they reject it, maybe it would be a useful enhancement to devise-jwt, since it's primary purpose is to authenticate an API, right? So there's no real solution to include devise's messages into the json response right now, which would be a little bit of waste IMHO if you can't make use of that functionality.
  I'm not really into the warden/devise internals until now, but maybe theres a possibility to inject the "flash" messages into the json right in the layer that devise-jwt patches, without touching devise at all. Not sure how easy to implement this is or if this is even possible. Will keep on digging though.

• I'm already working on some additional TestHelpers to make testing smooth out of the box. :-)

• I like the different revocation strategies a lot and i have some ideas for additional helper methods which handle different signout/revocation cases on each strategy easily.

So maybe you can expect some pull request in the next weeks. :-) Rather busy at the moment though, so i can't say for sure when I have smth. ready.

[waiting-for-dev]

Hey @christophweegen ,

happy to hear you feel like contributing to devise-jwt 😃

About your flash message concerns, I addressed them in a separate issue to keep things organized so that others can find information easily: #72

About revocation strategies, I don't want to add a comprehensive set of them in the gem, because there are as many as different developer needs exist: virtually infinite. I just want to include the bare minimum of them which cover big picture scenarios: whitelist, blacklist... Developers can extend them easily through custom strategies. For small picture differences, or strategies depending on other technologies (for example, Redis), I think it would be a good idea to add them in the wiki.

[christophweegen]

Hey,

sorry for my late reply :-) Ok thanks will look them up there..

About revocation strategies:

I'm already working on some additional TestHelpers to make testing smooth out of the box. :-)

I like the different revocation strategies a lot and i have some ideas for additional helper methods which handle different signout/revocation cases on each strategy easily.

Sorry my fault, didn't expressed myself precisely. The sentence about the revocation strategies helper methods were still referring to TestHelpers in the sentence above.

I opened a new issue on that to keep things tidy too #77 :-)

[christophweegen]

P.S: I think the already present revocation strategies are great and definitely cover the most important use cases by now. No need to add additional IMHO. My favorite is the whitelist approach :-)