Steps to Repeat
Login
Logout
Login and get 422 from server Can't verify CSRF token authenticity
Gems
devise 3.5.2
devise_token_auth 0.1.36
According to other threads the solution is to return a new csrf token on logout and then on the client side in the success handler for logout set the cookie for XSRF-TOKEN to be the received token. The code I'm using is below. Can someone enlighten me as to why it's not working? The last login request looks to be using the new token so angular looks like it's picking it up from the cookie.
I am overriding the devise_token_auth destroy method and in the render adding the csrfParam & csrfToken to pass to the client. Does this csrfToken need to be stored on the server somewhere so it can compare when the next request comes through?
def destroy
# remove auth instance variables so that after_filter does not run
user = remove_instance_variable(:@resource) if @resource
client_id = remove_instance_variable(:@client_id) if @client_id
remove_instance_variable(:@token) if @token
if user and client_id and user.tokens[client_id]
user.tokens.delete(client_id)
user.save!
render json: {
success:true,
csrfParam: request_forgery_protection_token,
csrfToken: form_authenticity_token
}, status: 200
else
render_destroy_error
end
end
This is the client side success callback for ng-token-auth signOut.
$auth.signOut()
.then(function(resp) {
$('meta[name=csrf-token]').attr('content', resp.data.csrfToken);
$cookieStore.put($http.defaults.xsrfCookieName, resp.data.csrfToken);
$http.defaults.headers.common[$http.defaults.xsrfHeaderName] = resp.data.csrfToken;
$state.go('login');
})
.catch(function(resp) {
// handle error response
console.log("error signing out");
});
I followed along with the following question which is similar to mine but didn't have any luck. Rails, Devise authentication, CSRF issue https://github.com/lynndylanhurley/devise_token_auth/issues/398
