Fix Refresh token AbstractController::DoubleRenderError (#29)

* added return to avoid DoubleRenderError in case of revoked token * fix refresh token tests to send refresh_token in authentication_headers_for
nejdetkadir · Oct 23, 2023 · 7995136 · 7995136
1 parent e864e7c
commit 7995136
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/app/controllers/devise/api/tokens_controller.rb b/app/controllers/devise/api/tokens_controller.rb
@@ -122,7 +122,7 @@ def refresh
           error_response = Devise::Api::Responses::ErrorResponse.new(request, error: :revoked_token,
                                                                               resource_class: resource_class)
 
-          render json: error_response.body, status: error_response.status
+          return render json: error_response.body, status: error_response.status
         end
 
         Devise.api.config.before_refresh.call(current_devise_api_refresh_token, request)

diff --git a/spec/requests/tokens_spec.rb b/spec/requests/tokens_spec.rb
@@ -489,7 +489,7 @@
       let(:devise_api_token) { build(:devise_api_token, resource_owner: user) }
 
       before do
-        post refresh_user_tokens_path, headers: authentication_headers_for(user, devise_api_token), as: :json
+        post refresh_user_tokens_path, headers: authentication_headers_for(user, devise_api_token, :refresh_token), as: :json
       end
 
       it 'returns http unauthorized' do
@@ -533,16 +533,16 @@
       let(:devise_api_token) { create(:devise_api_token, :refresh_token_expired, resource_owner: user) }
 
       before do
-        post refresh_user_tokens_path, headers: authentication_headers_for(user, devise_api_token), as: :json
+        post refresh_user_tokens_path, headers: authentication_headers_for(user, devise_api_token, :refresh_token), as: :json
       end
 
       it 'returns http unauthorized' do
         expect(response).to have_http_status(:unauthorized)
       end
 
       it 'returns an error response' do
-        expect(parsed_body.error).to eq 'invalid_token'
-        expect(parsed_body.error_description).to eq([I18n.t('devise.api.error_response.invalid_token')])
+        expect(parsed_body.error).to eq 'expired_refresh_token'
+        expect(parsed_body.error_description).to eq([I18n.t('devise.api.error_response.expired_refresh_token')])
       end
 
       it 'does not refresh the token' do
@@ -555,16 +555,16 @@
       let(:devise_api_token) { create(:devise_api_token, :revoked, resource_owner: user) }
 
       before do
-        post refresh_user_tokens_path, headers: authentication_headers_for(user, devise_api_token), as: :json
+        post refresh_user_tokens_path, headers: authentication_headers_for(user, devise_api_token, :refresh_token), as: :json
       end
 
       it 'returns http unauthorized' do
         expect(response).to have_http_status(:unauthorized)
       end
 
       it 'returns an error response' do
-        expect(parsed_body.error).to eq 'invalid_token'
-        expect(parsed_body.error_description).to eq([I18n.t('devise.api.error_response.invalid_token')])
+        expect(parsed_body.error).to eq 'revoked_token'
+        expect(parsed_body.error_description).to eq([I18n.t('devise.api.error_response.revoked_token')])
       end
 
       it 'does not refresh the token' do