Rails 5 API with front-end engine

Question

I've a Rails 5 API with devise/doorkeeper perfectly working.

I've built an engine having a front-end part with all devise views. Everything works unless the flash when warden is throwing an error. I've imported manually missing modules :

# app/controllers/concerns/api_to_web_controller.rb
module ApiToWebController
  extend ActiveSupport::Concern

  included do
    include ActionController::Helpers
    include ActionController::MimeResponds
    include ActionController::Redirecting
    include ActionView::Layouts
    include ActionController::EtagWithFlash
    include ActionController::Flash
    
    respond_to :html
  end
end


# app/controllers/concerns/devise_api_to_web.rb
##
# Module to integrate Devise:
#  - helpers
#  - layout
# It also redefine `redirect_to`.
# See https://github.com/heartcombo/responders/issues/222
# for more details
module DeviseApiToWeb
  extend ActiveSupport::Concern

  included do
    layout 'secret_migration/devise'

    if respond_to?(:helper_method)
      helpers = %w[resource scope_name resource_name signed_in_resource
                   resource_class resource_params devise_mapping]
      helper_method(*helpers)
    end

    def redirect_to(options = {}, response_options = {})
      super
    end
  end
end

Here is my custom SessionController

module MyEngine
  module V1
    # Override Devise::SessionsController
    class Users::SessionsController < Devise::SessionsController
      include ::ApiToWebController
      include ::DeviseApiToWeb
    end
  end
end

I got this custom after_authentication

# config/initializers/warden.rb
Warden::Manager.after_authentication do |user, auth, _opts|
  next if user.is_ok?

  throw(:warden, :message => "User not ok, contact admin")
end

Finally, the application file

module MyApp
  class Application < 
opts = { key: '_my_app', domain: 'example.com', tld_length: 1 }
Rails::ApplicationRails.application.config.session_store :disabled
  config.session_store :cookie_store, opts
  config.middleware.use ActionDispatch::Session::CookieStore, config.session_options
  config.middleware.insert_after(ActionDispatch::Cookies, ActionDispatch::Session::CookieStore,
                                 opts)

I've been able to track the data. env[warden.options] is well filled with :message => "User not ok, contact admin" but somehow, it's not passed after the redirection.

Important point, I got flash message when it's a pure devise error like Invalid Email or password. .

Answer 1

I got it. It was a middleware order issue. It has to be with the following order

use ActionDispatch::Cookies
use ActionDispatch::Session::CookieStore
use ActionDispatch::Flash
use Warden::Manager

I've update my engine.rb to include the middleware at the correct place

module MyEngine
  ##
  # Engine initializers
  class Engine < ::Rails::Engine
    isolate_namespace MyEngine
    initializer 'use action dispatch flash' do |app|
      app.config.middleware.insert_after(ActionDispatch::Session::CookieStore, ActionDispatch::Flash)
    
      app.config.middleware.use Rack::MethodOverride
    end
  end
end

# config/application.rb
module MyApp
  class Application < Rails::Application
    # ...
    config.middleware.insert_before(Warden::Manager, ActionDispatch::Cookies)
    # ...
  end
end

# config/environments/development.rb
Rails.application.configure do
  opts = { key: '_my_app', domain: 'lvh.me', tld_length: 2 }
  Rails.application.config.session_store :disabled
  config.session_store :cookie_store, opts
  config.middleware.insert_after(ActionDispatch::Cookies, ActionDispatch::Session::CookieStore,
                                 opts)
end