I'm using rails-api with devise_token_auth for authentication. I am able to sign in without issue via:
curl -i http://localhost:3000/api/v1/auth/sign_in -F email="[email protected]" -F password="password"
However, sign out fails with a 404 and the error "User was not found or was not logged in." via:
curl -X DELETE -i http://localhost:3000/api/v1/auth/sign_out
I have tried variations of this command with multiple combinations of parameters and header values, such as:
curl -X DELETE -i http://localhost:3000/api/v1/auth/sign_out -F email="[email protected]" -H Access-Token="Ae1yaTYLkSAgdhz3LtPAZg" -H Client="9AmYF6NS8tP6EOD5nPSuxw" -H Expiry="1443073493" -H Uid="[email protected]" -H Token-Type="Bearer"
To no avail. A similarly constructed RSpec test also fails with the same response and error, and the logs indicate the request was processed via DeviseTokenAuth::SessionsController#destroy as JSON.
Of course, I'm not actually using curl for authentication; just verification of the request structure before writing the relevant code.
Answering my own question, I wasn't returning certain sign_in response header values correctly with the sign_out request.
I found a related post which pointed out some of the critical headers. The trick is to capture the access-token, client, and uid header values from the sign_in response, then include them as parameters in the sign_out request:
curl -i -X DELETE http://localhost:3000/api/v1/auth/sign_out -F access-token="Ae1yaTYLkSAgdhz3LtPAZg" -F client="9AmYF6NS8tP6EOD5nPSuxw" -F uid="[email protected]"
Here's an RSpec test to illustrate and verify:
require 'rails_helper'
RSpec.describe "Authentication", type: :request do
  it "logs a user out" do
    user = User.create!(
      name: "Some Dude", 
      email: "[email protected]",
      password: "password", 
      confirmed_at: Date.today
    )
    # initial sign in to generate a token and response
    post api_v1_user_session_path, {
      email: user.email, 
      password: user.password
    }
    expect(user.reload.tokens.count).to eq 1
    # sign out request using header values from sign in response
    delete destroy_api_v1_user_session_path, {
      "access-token": response.header["access-token"], 
      client: response.header["client"], 
      uid: response.header["uid"]
    }
    response_body = JSON.load(response.body)
    expect(response_body["errors"]).to be_blank
    expect(response.status).to eq 200
    # user token should be deleted following sign out
    expect(user.reload.tokens.count).to eq 0
  end
end
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With