Help with Rodauth + Omniauth - API Only (JWT) - Error

[jairfg]

Hey @janko. Thanks this library is great, I admire your work. Initially I already implemented rodauth-rails for authentication on my platform and everything works fine. I’m now adding rodauth-omniauth to make it easier for my users to log in with Google and Facebook.

Everything was going well until a mistake occurred that I cannot identify. I would love for you to help.

My implementation is as follows:
rodauth_main.rb

require "sequel/core"

class RodauthMain < Rodauth::Rails::Auth
  configure do
    enable :create_account, 
      :login, :logout, :jwt,
      :reset_password, :change_password, :change_password_notify,
      :change_login, :verify_login_change, :close_account,
      :omniauth

    db Sequel.postgres(extensions: :activerecord_connection, keep_reference: false)

    # Defaults to Rails `secret_key_base`, but you can use your own secret key.
    hmac_secret "379532b2ec2e002..."

    jwt_secret { hmac_secret }

    # Accept only JSON requests.
    only_json? true

    require_password_confirmation? true

    # Specify the controller used for view rendering, CSRF, and callbacks.
    rails_controller { RodauthController }

    title_instance_variable :@page_title

    account_status_column :status
    account_password_hash_column :password_hash

    # Change some default param keys.
    login_param "email"
    password_confirm_param "confirm_password"

    # ==> Emails
    create_reset_password_email do
      RodauthMailer.reset_password(self.class.configuration_name, account_id, reset_password_key_value)
    end
    create_verify_login_change_email do |_login|
      RodauthMailer.verify_login_change(self.class.configuration_name, account_id, verify_login_change_key_value)
    end
    create_password_changed_email do
      RodauthMailer.password_changed(self.class.configuration_name, account_id)
    end
    send_email do |email|
      # queue email delivery on the mailer after the transaction commits
      db.after_commit { email.deliver_later }
    end

    before_create_account do
      throw_error_status(422, "first_name", "must be present") if param("first_name").empty?
      throw_error_status(422, "last_name", "must be present") if param("last_name").empty?
    end

    after_create_account do
      Student.create(first_name: param('first_name'),
                     last_name: param('last_name'),
                     email: param('email'),
                     tenant_id: request.env[:tenant_id],
                     account_id:)
    end

    set_jwt_token do |token|
      json_response['Authorization'] = token if account.present?
    end

    omniauth_setup do
      omniauth_strategy.options[:provider_ignores_state] = true
      omniauth_strategy.options[:authorize_params][:redirect_uri] = "http://localhost:8080/callbacks/google"
      omniauth_strategy.options[:token_params][:redirect_uri] = "http://localhost:8080/callbacks/google"
    end
    
    omniauth_provider :facebook,
      Rails.application.credentials.facebook[:app_id],
      Rails.application.credentials.facebook[:app_secret],
      scope: "email"

    omniauth_provider :google_oauth2,
      Rails.application.credentials.google[:client_id],
      Rails.application.credentials.google[:client_secret],
      name: :google # rename it from "google_oauth2"

    omniauth_identity_insert_hash do
      super().merge(created_at: Time.now)
    end
    omniauth_identity_update_hash do
      super().merge(updated_at: Time.now)
    end
  end
end

This is the Frontend and Backend flow

1. From Frontend I send a POST request hacia http://localhost:3000/auth/google

2. I receive a URL "https://accounts.google.com/o/oauth2/auth?access_type=offline&client_id=1010492842..."
   that I open and accept permission to use my account

3. redirects to my Frontend http://localhost:8080/callbacks/google?state=..&code=..&scope=..&authuser=..&prompt=..

4. With these params I send a GET request to http://localhost:3000/auth/google/callback?state=${state}&code=${code}&scope=${scope}&authuser=${authuser}&prompt=${prompt}

5. The Account and the associated Identity are created in my backend. but an error occurs that causes the Token not to be returned to me. "undefined method 'destroy' for nil:NilClass"

The same happens for login with Facebook.

[janko]

Thanks for the detailed report. Any chance you could get the full backtrace for this exception? I have the feeling that it could be related to sessions, because Rails' Request#reset_session calls session.destroy, and maybe session is nil. But I cannot be sure without the backtrace. I can try to reproduce the error as well.

Initially I already implemented rodauth-rails for authentication on my platform and everything works fine.

I'm happy to hear that 🙂

[mintuhouse]

Stacktrace for above error in API only apps without any session middleware

Exception: NoMethodError: undefined method `destroy' for nil
railsapi/.cache/bundle/ruby/3.3.0/gems/actionpack-7.1.3.2/lib/action_dispatch/http/request.rb:391:in `reset_session'
railsapi/.cache/bundle/ruby/3.3.0/gems/actionpack-7.1.3.2/lib/action_controller/metal.rb:259:in `reset_session'
railsapi/.cache/bundle/ruby/3.3.0/gems/rodauth-rails-1.13.0/lib/rodauth/rails/feature/base.rb:21:in `clear_session'
railsapi/.cache/bundle/ruby/3.3.0/gems/rodauth-2.34.0/lib/rodauth/features/jwt.rb:62:in `clear_session'
railsapi/.cache/bundle/ruby/3.3.0/gems/rodauth-2.34.0/lib/rodauth/features/base.rb:457:in `update_session'
railsapi/.cache/bundle/ruby/3.3.0/gems/rodauth-2.34.0/lib/rodauth/features/jwt_refresh.rb:60:in `update_session'
railsapi/.cache/bundle/ruby/3.3.0/gems/rodauth-2.34.0/lib/rodauth/features/base.rb:466:in `login_session'
railsapi/.cache/bundle/ruby/3.3.0/gems/rodauth-2.34.0/lib/rodauth/features/login.rb:90:in `block in login'

clear_session in jwt feature calls super
which does rails_controller_instance.reset_session but in API only apps there is no session defined

Below where it sets request.env["rack.session"] = nil might be causing the problem

rodauth-omniauth/lib/rodauth/features/omniauth_base.rb

Line 174 in bcfb750

request.env["rack.session"] = rack_session

PS: patched the Hash to see where it is being set to nil

Hash.class_eval do
  alias_method :old_brackets, :[]=
  def []=(key, value)
    binding.irb if key == "rack.session" && value.nil?
    old_brackets(key, value)
  end
end

[janko]

I appreciate the debugging information 🙏🏻 I just pushed a possible fix to the master branch, would you mind testing it out?

[janko]

Released version 0.3.4 with this fix.