Make clear_session not call the scope's clear session if using JWTs f…

…or session in the jwt feature Previously, if using Roda's session plugin and the Rodauth jwt feature, when the Rodauth clear_session was called for a request that should use JWT, it would call clear_session on the Roda scope. That is a mistake, because all Rodauth session information should be stored in the JWT in that case, not in a session cookie. This changes things so that Road scope clear_session is not called if JWTs are in use. It also makes it so that clear session does not call session.clear twice in the JWT case.
jeremyevans · Nov 8, 2024 · b6f368b · b6f368b
1 parent 4079fcc
commit b6f368b
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 5 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,5 +1,7 @@
 === master
 
+* Make clear_session not call the scope's clear session if using JWTs for session in the jwt feature (jeremyevans)
+
 * Support webauthn_autofill? configuration method in webauthn_autofill feature for disabiling autofill on login page (janko) (#445)
 
 * Remove documentation from the gem to reduce gem size by 50% (jeremyevans)

diff --git a/lib/rodauth/features/base.rb b/lib/rodauth/features/base.rb
@@ -321,7 +321,7 @@ def login_uses_email?
     end
 
     def clear_session
-      if scope.respond_to?(:clear_session)
+      if use_scope_clear_session?
         scope.clear_session
       else
         session.clear
@@ -869,6 +869,10 @@ def internal_request?
       false
     end
 
+    def use_scope_clear_session?
+      scope.respond_to?(:clear_session)
+    end
+
     def require_response(meth)
       send(meth)
       raise RuntimeError, "#{meth.to_s.sub(/\A_/, '')} overridden without returning a response (should use redirect or request.halt). This is a bug in your Rodauth configuration, not a bug in Rodauth itself."

diff --git a/lib/rodauth/features/jwt.rb b/lib/rodauth/features/jwt.rb
@@ -60,10 +60,7 @@ def session
 
     def clear_session
       super
-      if use_jwt?
-        session.clear
-        set_jwt
-      end
+      set_jwt if use_jwt?
     end
 
     def jwt_secret
@@ -158,5 +155,9 @@ def return_json_response
     def set_jwt
       set_jwt_token(session_jwt)
     end
+
+    def use_scope_clear_session?
+      super && !use_jwt?
+    end
   end
 end