Adding forceValidateToken flag to configuration

[goshatch]

Hi,

I've added a forceValidateToken flag to the configuration object.

This flag is useful for implementing single sign on, which could require checking in with the API even if an auth_headers cookie is not set.

Including tests and updates to the README.

Please let me know if you have any comments!

[booleanbetrayal]

Hi @Gueorgui - Wondering what the desired use-case is here. If validateOnPageLoad is set (defaults to true), validateUser is called ... it will check to see if auth_headers is empty, and if so, reject the
validation promise, and dispatch an auth:invalid event. Typically, that event could be used to determine whether or not to redirect to a sign-in screen. Help me understand what the current scheme is failing to support.

[goshatch]

Hi @booleanbetrayal, good question.

I've tried using the auth:invalid event, but the event is fired before the listener (which I initialize in my module's run method) is registered. I couldn't find a workaround for this.

Our use case is as follows:

• We have a ng-token-auth/devise_token_auth app (let's call it App A) that uses an external app's OAuth2 API to provide authentication (let's call that App B).
• App B provides an API access token stored in an encrypted cookie; if this cookie is present, App A is able to decrypt it and use the contained token to sign a user in, creating the corresponding account in App A if necessary.
• For this use case, when the user first loads App A, the auth_headers cookie is empty, but we still want it to hit the validate_token path in our backend in order to check for the presence of the encrypted cookie and log a user in if possible.

Here's the code of our overriden TokenValidationsController:

class TokenValidationsController < DeviseTokenAuth::TokenValidationsController
  include TokenAuthenticatable
  prepend_before_filter :check_for_sso_cookie

  def validate_token
    # ...
  end

  def check_for_sso_cookie
    if cookies["encrypted_sso_cookie"]
      sso_token = # code to decrypt cookies["encrypted_sso_cookie"]...
      if sso_token
        @resource = # load User model from sso_token...
        update_tokens(@resource)
        sign_in(:user, @resource, store: false, bypass: false)
        update_auth_header
      end
    end
  end

Please let me know if I'm missing something, I'd be happy to make it work with the auth:invalid event as well!

Thank you in advance 😄

[booleanbetrayal]

@Gueorgui - I see what you're saying, now. Looks like the PR has some conflicts as of some recent commits (probably just compiled dist). You mine resolving those conflicts by rebasing against master?

[goshatch]

Hi @booleanbetrayal, thanks! I've rebased my fork against master, should be mergeable now.

[booleanbetrayal]

Thanks @Gueorgui!