The first access to cookies is costing ~400-500ms for me right now when using Rails 3.1. The problem first started occurring when I upgraded rails. The instantiation of the controller controller.new(self.request, self.response).send(:cookies) on line 44 of rails_warden.rb seems to be the issue. Rewriting the function to

def cookies
  self.request.cookie_jar
end

resolves the issue for me, but may not be sufficiently robust. Happy to submit a pull request with that change but I suspect you'll have a better way of fixing it. Let me know if I can be of any assistance in resolving this.

Due to the fact that

  Warden::Manager.before_failure do |env, opts|
    if request = env["action_controller.rescue.request"]
      request.params["action"] = RailsWarden.unauthenticated_action
    end
  end

is in RailsWarden::Manager.new, whose scope includes the passed-in app, when Warden::Manager stores the block given to it, the object references in the enclosing scope are also stored. Thus, any middleware objects are kept around forever, and the memory footprint of the app grows indefinitely with each request.

This issue would be fixed by a proper fix to http://github.com/hassox/rails_warden/issues#issue/2, such that the block is not added to Warden::Manager.before_failure each time.

I have set up all things that the Devise needs. And things works fine for me.
But there is one thing very annoying:
When I request the pages which need authentication through the browser(Firefox).It just pop out an alert dialog says:

"A username and password are being requested by http://localhost:3001. The site says: "Application"'
with the user name and password input fields instead of redirecting to the login page (the "/users/sign_in" page).But even, whatever user name and password I typed in, I just can't access (I can successfully login through the "/users/sign_in" with the same info).

Hi team,

First of all, I know this falls more on the Rails side than on the Warden side, but since it's such a common setup, I thought it's ok to go ahead and ask.

Most of the tutorials out there that talk about Warden + Rails (e.g. Railscasts #305, Warden's own wiki) suggest the following failure_app config:

manager.failure_app = lambda { |env| SessionsController.action(:new).call(env) }

However this seems to cause an InvalidAuthenticityToken if the strategy fails. As far as I can tell, this is because:

1. First we POST the login form, w/ CSRF token
2. The request reaches Sessions#create, CSRF token is validated and cycled.
3. Warden is called, performs the check, if it passes high fives, otherwise :failure_app
4. When :failure_app is configured as above, the request is then handed to the :new action in SessionsController but the entire request environment is passed along.
5. Rails' CSRF protection filter reviews the request headers before running :new and because in the original request (point #1 above) we sent a POST bails, saying we're POST'ing w/o a valid CSRF token (invalidated at #2 above).

Some posters suggest to skip the CSRF filter in SessionsController#new, which I trust would work, but the truth is that the CSRF filter shouldn't even kick in, because SessionsController#new is typically a GET request.

If I alter my Warden manager's :failure_app setup to:

  manager.failure_app = lambda do |env|
    env['REQUEST_METHOD'] = 'GET'
    SessionsController.action(:new).call(env)
  end

The CSRF filter doesn't complain.

Does this make sense? Am I understanding the inner workings correctly, and addressing the underlying problem?

Many thanks!

[disregard]

Seems that we do not have any example of how to set unauthenticated_action on RailsWarden

Example I expected to work:

Rails.configuration.middleware.use RailsWarden::Manager do |manager|
  manager.default_strategies :bcrypt
  manager.failure_app = SessionsController
  manager.unauthenticated_action = :failure
end

But that returns an undefined error:

config/initializers/warden.rb:4:in `block in <top (required)>': undefined method `unauthenticated_action=' for #<Warden::Config:0x007fe0ae0a8d68> (NoMethodError)
        from /Users/justin/.rbenv/versions/1.9.3-p125/lib/ruby/gems/1.9.1/gems/warden-1.2.0/lib/warden/manager.rb:23:in `initialize'
        from /Users/justin/.rbenv/versions/1.9.3-p125/lib/ruby/gems/1.9.1/gems/rails_warden-0.5.7/lib/rails_warden/manager.rb:20:in `new'
        from /Users/justin/.rbenv/versions/1.9.3-p125/lib/ruby/gems/1.9.1/gems/rails_warden-0.5.7/lib/rails_warden/manager.rb:20:in `new'
        from /Users/justin/.rbenv/versions/1.9.3-p125/lib/ruby/gems/1.9.1/gems/actionpack-3.2.5/lib/action_dispatch/middleware/stack.rb:43:in `build'
        from /Users/justin/.rbenv/versions/1.9.3-p125/lib/ruby/gems/1.9.1/gems/actionpack-3.2.5/lib/action_dispatch/middleware/stack.rb:113:in `block in build'
        from /Users/justin/.rbenv/versions/1.9.3-p125/lib/ruby/gems/1.9.1/gems/actionpack-3.2.5/lib/action_dispatch/middleware/stack.rb:113:in `each'
        from /Users/justin/.rbenv/versions/1.9.3-p125/lib/ruby/gems/1.9.1/gems/actionpack-3.2.5/lib/action_dispatch/middleware/stack.rb:113:in `inject'
        from /Users/justin/.rbenv/versions/1.9.3-p125/lib/ruby/gems/1.9.1/gems/actionpack-3.2.5/lib/action_dispatch/middleware/stack.rb:113:in `build'
        from /Users/justin/.rbenv/versions/1.9.3-p125/lib/ruby/gems/1.9.1/gems/railties-3.2.5/lib/rails/engine.rb:470:in `app'
...

Could you please bump the version (to e.g. 0.5.6) so the changes in may 2011 are available in the gem?
I need this for a Rails 3.1 engine which I package as gem and IMHO I can't refer to a GIT path the gemspec.

Thanks!

In lib/rails_warden.rb you have

class Warden::SessionSerializer
  def serialize(user)
    [user.class.name, user.id]
  end
  ...

But in the README it looks like you are serializing 'record.class'--the object, not the name.

I'm trying to use rails_warden in rails 3.1 engine. When I'm try start server, I',m got these error:
vk@vk-desktop:~/work/aspo/aspo_core/auth$ r s
=> Booting WEBrick
=> Rails 3.1.0.rc5 application starting in development on http://0.0.0.0:3000
=> Call with -d to detach
=> Ctrl-C to shutdown server
Exiting
/home/vk/.rvm/gems/ruby-1.9.2-p180@aspo/gems/rails_warden-0.5.5/lib/rails_warden.rb:90:in block in <class:Railtie>': wrong number of arguments (1 for 0) (ArgumentError) from /home/vk/.rvm/gems/ruby-1.9.2-p180@aspo/gems/railties-3.1.0.rc5/lib/rails/initializable.rb:25:ininstance_exec'
from /home/vk/.rvm/gems/ruby-1.9.2-p180@aspo/gems/railties-3.1.0.rc5/lib/rails/initializable.rb:25:in run' from /home/vk/.rvm/gems/ruby-1.9.2-p180@aspo/gems/railties-3.1.0.rc5/lib/rails/initializable.rb:50:inblock in run_initializers'
from /home/vk/.rvm/gems/ruby-1.9.2-p180@aspo/gems/railties-3.1.0.rc5/lib/rails/initializable.rb:49:in each' from /home/vk/.rvm/gems/ruby-1.9.2-p180@aspo/gems/railties-3.1.0.rc5/lib/rails/initializable.rb:49:inrun_initializers'
from /home/vk/.rvm/gems/ruby-1.9.2-p180@aspo/gems/railties-3.1.0.rc5/lib/rails/application.rb:92:in initialize!' from /home/vk/.rvm/gems/ruby-1.9.2-p180@aspo/gems/railties-3.1.0.rc5/lib/rails/railtie/configurable.rb:30:inmethod_missing'
from /home/vk/work/aspo/aspo_core/auth/spec/dummy/config/environment.rb:5:in <top (required)>' from /home/vk/.rvm/gems/ruby-1.9.2-p180@aspo/gems/activesupport-3.1.0.rc5/lib/active_support/dependencies.rb:237:inrequire'
from /home/vk/.rvm/gems/ruby-1.9.2-p180@aspo/gems/activesupport-3.1.0.rc5/lib/active_support/dependencies.rb:237:in block in require' from /home/vk/.rvm/gems/ruby-1.9.2-p180@aspo/gems/activesupport-3.1.0.rc5/lib/active_support/dependencies.rb:223:inblock in load_dependency'
from /home/vk/.rvm/gems/ruby-1.9.2-p180@aspo/gems/activesupport-3.1.0.rc5/lib/active_support/dependencies.rb:639:in new_constants_in' from /home/vk/.rvm/gems/ruby-1.9.2-p180@aspo/gems/activesupport-3.1.0.rc5/lib/active_support/dependencies.rb:223:inload_dependency'
from /home/vk/.rvm/gems/ruby-1.9.2-p180@aspo/gems/activesupport-3.1.0.rc5/lib/active_support/dependencies.rb:237:in require' from /home/vk/work/aspo/aspo_core/auth/spec/dummy/config.ru:4:inblock in

vk@vk-desktop:~/work/aspo/aspo_core/auth$ ruby -v
ruby 1.9.2p180 (2011-02-18 revision 30909) [i686-linux]

vk@vk-desktop:~/work/aspo/aspo_core/auth$ rails -v
Rails 3.1.0.rc5

This Issue is about setting up a CI configuration for CircleCI 2.0.

last gem is from 2010

Because of the way Rails's middleware builder is implemented, RailsWarden::Manager.new gets called for each request. Because this method calls Warden::Manager.before_failure, which stores the passed-in block as a class instance variable, Warden::Manager._before_failure.size grows by 1 for each request.

RailsWarden should register the "action_controller.rescue.request" with Warden only once.

@hassox

you can also give me rubygems access ([email protected]) and I'll take care of it (we are running a few pretty big projects on it and are refactoring our auth stack right now)

I am not sure that this is exactly warden issue (sorry for rhyming), but users should know about this problem so I opening this one.
I am using cucumber + rspec-rails and by default I have the following in cucumber environment:

config.gem "rspec-rails", :lib => "spec/rails", :version => ">= 1.2.7"

That can result in:
undefined local variable or method `warden' for #ActionView::Base:0x24de7f0 (ActionView::TemplateError)

All works fine if gem config changed to:

config.gem "rspec-rails", :lib => false, :version => ">= 1.2.7"

I've noticed that when a user is authenticated, his session_id is reset.

Is this expected behavior?

As mentioned I get an Uninitialized Constant error with rails 6 when I try to include the concern.

The exception backtrace page that's rendered for exceptions on development includes an env dump section that shows all the env keys including an inspect of the warden object. This content is huge (several MB) and causes the page to take a long time to render.
Here is a related Rails issue:
https://rails.lighthouseapp.com/projects/8994/tickets/5027-_request_and_responseerb-and-diagnosticserb-take-an-increasingly-long-time-to-render-in-development-with-multiple-show-tables-calls