Revert "Connect the token authentication mechanism to Devise session tracking"

mikejamesthompson · mikejamesthompson · commit 0b31793be356 · 2025-11-20T16:56:22.000Z
This reverts commit a69bbc1 which was causing a 403 error on every request from the reporting app, triggering a reauthentication. This was also breaking filtering in the reporting app due to every request hitting an unrelated bug in the OAuth redirect code in Mavis.
diff --git a/app/controllers/concerns/reporting_api/token_authentication_concern.rb b/app/controllers/concerns/reporting_api/token_authentication_concern.rb
@@ -43,12 +43,8 @@ def authenticate_user_by_jwt!
             )
           )
         if @current_user
+          session["user"] = data["user"]
           session["cis2_info"] = data["cis2_info"]
-
-          # Establish a Warden session with activity tracking
-          # which enables Devise's timeoutable module
-          sign_in @current_user, event: :authentication
-
           authenticate_user!
         else
           session.clear
diff --git a/spec/controllers/concerns/reporting_api/token_authentication_concern_spec.rb b/spec/controllers/concerns/reporting_api/token_authentication_concern_spec.rb
@@ -12,9 +12,6 @@
         def authenticate_user!
         end
 
-        def sign_in(user, options = {})
-        end
-
         def initialize(request: nil, session: {})
           @request = request
           @session = session
@@ -204,20 +201,20 @@ def current_user
       context "when a User exists with the values of id, session_token and reporting_api_session_token" do
         let(:user_id) { user.id }
 
+        it "copies the user key into session['user']" do
+          an_object_which_includes_the_concern.send(:authenticate_user_by_jwt!)
+          expect(an_object_which_includes_the_concern.session["user"]).to eq(
+            user_info.first["data"]["user"]
+          )
+        end
+
         it "copies the cis2_info key into session['cis2_info']" do
           an_object_which_includes_the_concern.send(:authenticate_user_by_jwt!)
           expect(
             an_object_which_includes_the_concern.session["cis2_info"]
           ).to eq(user_info.first["data"]["cis2_info"])
         end
 
-        it "signs in the user through Devise/Warden" do
-          expect(an_object_which_includes_the_concern).to receive(
-            :sign_in
-          ).with(user, event: :authentication)
-          an_object_which_includes_the_concern.send(:authenticate_user_by_jwt!)
-        end
-
         it "calls authenticate_user!" do
           expect(an_object_which_includes_the_concern).to receive(
             :authenticate_user!
diff --git a/spec/support/reporting_api_helper.rb b/spec/support/reporting_api_helper.rb
@@ -4,13 +4,6 @@ module ReportingAPIHelper
   def valid_jwt_payload
     team = create(:team, :with_one_nurse)
     user = team.users.first
-
-    # Ensure the user has session tokens required by Warden callbacks
-    user.update!(
-      session_token: SecureRandom.hex(32),
-      reporting_api_session_token: SecureRandom.hex(32)
-    )
-
     {
       data: {
         user: user.as_json,
@@ -23,8 +16,12 @@ def valid_jwt_payload
     }
   end
 
-  def valid_jwt(payload = valid_jwt_payload)
-    JWT.encode(payload, Settings.reporting_api.client_app.secret, "HS512")
+  def valid_jwt
+    JWT.encode(
+      valid_jwt_payload,
+      Settings.reporting_api.client_app.secret,
+      "HS512"
+    )
   end
 
   def invalid_jwt_payload
diff --git a/spec/support/shared_examples/a_reporting_api_controller.rb b/spec/support/shared_examples/a_reporting_api_controller.rb
@@ -1,13 +1,10 @@
 # frozen_string_literal: true
 
 shared_examples "a ReportingAPI controller" do
-  include ReportingAPIHelper
+  let(:team) { create(:team, :with_one_nurse) }
+  let(:user) { team.users.first }
 
-  # Extract the user from the JWT payload so we're testing with the same user
-  # that was authenticated via JWT
-  let(:jwt_payload) { valid_jwt_payload }
-  let(:user) { User.find(jwt_payload[:data][:user]["id"]) }
-  let(:team) { user.teams.first }
+  include ReportingAPIHelper
 
   context "when the reporting_api feature flag is disabled" do
     before { Flipper.disable(:reporting_api) }
@@ -17,7 +14,7 @@
         let(:params) { { jwt: jwt } }
 
         context "which is valid" do
-          let(:jwt) { valid_jwt(jwt_payload) }
+          let(:jwt) { valid_jwt }
 
           it "responds with status :forbidden" do
             get :index, params: { jwt: jwt }
@@ -36,20 +33,12 @@
         let(:params) { { jwt: jwt } }
 
         context "which is valid" do
-          let(:jwt) { valid_jwt(jwt_payload) }
+          let(:jwt) { valid_jwt }
 
           it "responds with status 200" do
             get :index, params: { jwt: jwt }
             expect(response.status).to eq(200)
           end
-
-          it "establishes a Warden session with activity tracking" do
-            get :index, params: { jwt: jwt }
-
-            expect(
-              request.session.dig("warden.user.user.session", "last_request_at")
-            ).to be_a(Integer)
-          end
         end
 
         context "which is not valid" do

Original file line number	Diff line number	Diff line change
`@@ -43,12 +43,8 @@ def authenticate_user_by_jwt!`
`43`	`43`	`)`
`44`	`44`	`)`
`45`	`45`	`if @current_user`
	`46`	`+ session["user"] = data["user"]`
`46`	`47`	`session["cis2_info"] = data["cis2_info"]`
`47`		`-`
`48`		`- # Establish a Warden session with activity tracking`
`49`		`- # which enables Devise's timeoutable module`
`50`		`- sign_in @current_user, event: :authentication`
`51`		`-`
`52`	`48`	`authenticate_user!`
`53`	`49`	`else`
`54`	`50`	`session.clear`