From 7995136f931163c4620f7686c139958090fa8e92 Mon Sep 17 00:00:00 2001
From: xkraty <kry619@gmail.com>
Date: Mon, 23 Oct 2023 21:23:10 +0200
Subject: [PATCH] Fix Refresh token AbstractController::DoubleRenderError (#29)

* added return to avoid DoubleRenderError in case of revoked token

* fix refresh token tests to send refresh_token in authentication_headers_for
---
 app/controllers/devise/api/tokens_controller.rb |  2 +-
 spec/requests/tokens_spec.rb                    | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/app/controllers/devise/api/tokens_controller.rb b/app/controllers/devise/api/tokens_controller.rb
index beb8221..9625d47 100644
--- a/app/controllers/devise/api/tokens_controller.rb
+++ b/app/controllers/devise/api/tokens_controller.rb
@@ -122,7 +122,7 @@ def refresh
           error_response = Devise::Api::Responses::ErrorResponse.new(request, error: :revoked_token,
                                                                               resource_class: resource_class)
 
-          render json: error_response.body, status: error_response.status
+          return render json: error_response.body, status: error_response.status
         end
 
         Devise.api.config.before_refresh.call(current_devise_api_refresh_token, request)
diff --git a/spec/requests/tokens_spec.rb b/spec/requests/tokens_spec.rb
index aa65efa..55afd2a 100644
--- a/spec/requests/tokens_spec.rb
+++ b/spec/requests/tokens_spec.rb
@@ -489,7 +489,7 @@
       let(:devise_api_token) { build(:devise_api_token, resource_owner: user) }
 
       before do
-        post refresh_user_tokens_path, headers: authentication_headers_for(user, devise_api_token), as: :json
+        post refresh_user_tokens_path, headers: authentication_headers_for(user, devise_api_token, :refresh_token), as: :json
       end
 
       it 'returns http unauthorized' do
@@ -533,7 +533,7 @@
       let(:devise_api_token) { create(:devise_api_token, :refresh_token_expired, resource_owner: user) }
 
       before do
-        post refresh_user_tokens_path, headers: authentication_headers_for(user, devise_api_token), as: :json
+        post refresh_user_tokens_path, headers: authentication_headers_for(user, devise_api_token, :refresh_token), as: :json
       end
 
       it 'returns http unauthorized' do
@@ -541,8 +541,8 @@
       end
 
       it 'returns an error response' do
-        expect(parsed_body.error).to eq 'invalid_token'
-        expect(parsed_body.error_description).to eq([I18n.t('devise.api.error_response.invalid_token')])
+        expect(parsed_body.error).to eq 'expired_refresh_token'
+        expect(parsed_body.error_description).to eq([I18n.t('devise.api.error_response.expired_refresh_token')])
       end
 
       it 'does not refresh the token' do
@@ -555,7 +555,7 @@
       let(:devise_api_token) { create(:devise_api_token, :revoked, resource_owner: user) }
 
       before do
-        post refresh_user_tokens_path, headers: authentication_headers_for(user, devise_api_token), as: :json
+        post refresh_user_tokens_path, headers: authentication_headers_for(user, devise_api_token, :refresh_token), as: :json
       end
 
       it 'returns http unauthorized' do
@@ -563,8 +563,8 @@
       end
 
       it 'returns an error response' do
-        expect(parsed_body.error).to eq 'invalid_token'
-        expect(parsed_body.error_description).to eq([I18n.t('devise.api.error_response.invalid_token')])
+        expect(parsed_body.error).to eq 'revoked_token'
+        expect(parsed_body.error_description).to eq([I18n.t('devise.api.error_response.revoked_token')])
       end
 
       it 'does not refresh the token' do