Why am I unable to sign out using devise_token_auth and curl?

Question

I'm using rails-api with devise_token_auth for authentication. I am able to sign in without issue via:

curl -i http://localhost:3000/api/v1/auth/sign_in -F email="[email protected]" -F password="password"

However, sign out fails with a 404 and the error "User was not found or was not logged in." via:

curl -X DELETE -i http://localhost:3000/api/v1/auth/sign_out

I have tried variations of this command with multiple combinations of parameters and header values, such as:

curl -X DELETE -i http://localhost:3000/api/v1/auth/sign_out -F email="[email protected]" -H Access-Token="Ae1yaTYLkSAgdhz3LtPAZg" -H Client="9AmYF6NS8tP6EOD5nPSuxw" -H Expiry="1443073493" -H Uid="[email protected]" -H Token-Type="Bearer"

To no avail. A similarly constructed RSpec test also fails with the same response and error, and the logs indicate the request was processed via DeviseTokenAuth::SessionsController#destroy as JSON.

Of course, I'm not actually using curl for authentication; just verification of the request structure before writing the relevant code.

Answer 1

Answering my own question, I wasn't returning certain sign_in response header values correctly with the sign_out request.

I found a related post which pointed out some of the critical headers. The trick is to capture the access-token, client, and uid header values from the sign_in response, then include them as parameters in the sign_out request:

curl -i -X DELETE http://localhost:3000/api/v1/auth/sign_out -F access-token="Ae1yaTYLkSAgdhz3LtPAZg" -F client="9AmYF6NS8tP6EOD5nPSuxw" -F uid="[email protected]"

Here's an RSpec test to illustrate and verify:

require 'rails_helper'

RSpec.describe "Authentication", type: :request do

  it "logs a user out" do
    user = User.create!(
      name: "Some Dude", 
      email: "[email protected]",
      password: "password", 
      confirmed_at: Date.today
    )

    # initial sign in to generate a token and response
    post api_v1_user_session_path, {
      email: user.email, 
      password: user.password
    }

    expect(user.reload.tokens.count).to eq 1

    # sign out request using header values from sign in response
    delete destroy_api_v1_user_session_path, {
      "access-token": response.header["access-token"], 
      client: response.header["client"], 
      uid: response.header["uid"]
    }

    response_body = JSON.load(response.body)
    expect(response_body["errors"]).to be_blank
    expect(response.status).to eq 200
    # user token should be deleted following sign out
    expect(user.reload.tokens.count).to eq 0
  end

end