rodauth instance on ApplicationController not getting correct access to the current session

[FelipeBodelon]

Using both html and JSON features, I have a mixed auth flow which is working correctly for the most part.

But... I found an issue when using defined methods on my ApplicationController (as suggested by the docs). The methods I make available for its use in controllers are the following:

class ApplicationController < ActionController::Base
  protect_from_forgery if: -> { request.format.html? }, prepend: true

  private

  def authenticate_account(opts = {})
    redirect_path = opts.with_indifferent_access.fetch(:redirect_path, rodauth.login_path)

    redirect_to redirect_path, allow_other_host: true unless account_signed_in?
  end

  def account_signed_in?
    rodauth.authenticated?
  end

  def admin_signed_in?
    rodauth.authenticated? && current_account.has_role?(:admin)
  end

  def current_account
    rodauth.rails_account
  end
  helper_method :current_account # skip if inheriting from ActionController::API
  alias_method :current_user, :current_account
end

This works on some applications, for example:

class HomeController < ApplicationController

  def welcome
    redirect_to dashboard_analytics_quotations_path if admin_signed_in?
  end
end

The admin_signed_in? detects the active session signed account correctly.

For some other uses, like hooks (before_action, etc) the session can't be detected properly, as methods like rodauth.rails_account, rodauth.session_value, rodauth.account_from_session, all return nil.

So when using it with a hook, this fails to check authentication correctly:

class Payments::QuotationsController < ApplicationController
  before_action -> { authenticate_account(redirect_path: rodauth.create_account_path) }, only: %i[create]

  def create
    ...
  end
end

This action is triggered by an html form on a rails view. In that view the submit button is only visible with rodauth.logged_in? being true on the view template, so I'm completely sure that the authenticated account should be present.

What could be causing this to fail? Could the controller belonging to a certain scope affect this? When using certain methods (for debugging purposes), this error pops out:

[FelipeBodelon]

Looks like when using protect_form_forgery, if failing quietly it resets the session, thus breaking any rodauth feature. Purely a Rails mistake, will keep this here in case anyone runs against this issue.

[janko]

OK, good, I guess it's a similar issue to #276 then. This null session strategy is probably useful in production, but definitely surprising in development. Maybe it's worth setting with: :exception in development/tests.