lib/warden/jwt_auth/hooks.rb in warden-jwt_auth-0.3.0 vs lib/warden/jwt_auth/hooks.rb in warden-jwt_auth-0.3.1

@@ -16,19 +16,36 @@
       # @see https://github.com/hassox/warden/wiki/Callbacks
       def self.after_set_user(user, auth, opts)
         new.send(:prepare_token, user, auth, opts)
       end
 
+      # Sign out a JWT scope if it comes from the session.
+      #
+      # If a user is meant to be authenticated via JWT, then if it is fetched
+      # from the session it must be something not intended to happen and a
+      # security threat.
+      #
+      # Workaround until https://github.com/hassox/warden/pull/118 is fixed
+      def self.after_fetch(_user, auth, opts)
+        new.send(:logout_scope, auth, opts)
+      end
+
       private
 
       def prepare_token(user, auth, opts)
         env = auth.env
         scope = opts[:scope]
         return unless token_should_be_added?(scope, env)
         add_token_to_env(user, scope, env)
       end
 
+      def logout_scope(auth, opts)
+        scope = opts[:scope]
+        return unless jwt_scope?(scope)
+        auth.logout(scope)
+      end
+
       def token_should_be_added?(scope, env)
         path_info = EnvHelper.path_info(env)
         method = EnvHelper.request_method(env)
         jwt_scope?(scope) && request_matches?(path_info, method)
       end
@@ -59,6 +76,10 @@
   end
 end
 
 Warden::Manager.after_set_user do |user, auth, opts|
   Warden::JWTAuth::Hooks.after_set_user(user, auth, opts)
+end
+
+Warden::Manager.after_fetch do |user, auth, opts|
+  Warden::JWTAuth::Hooks.after_fetch(user, auth, opts)
 end