I'm not particularly familiar with ruby-box
, but it appears that their Session
class is confusingly named. The Rails session object, accessible from controllers, is a way of managing persistent state across requests for a user -- a typical use of the word "session." But a ruby box session is nothing of the sort; it appears to just be a plain old ruby object with an API for making oauth authorization requests to ruby box.
The key is that there is no persistence of any RubyBox::Session
object between requests. So when you redirect the user after sign in, the local variable session
you created in after_sign_in_path_for
is no longer available. So when you refer to session
in your BoxController
, you're getting an actual session object, not a RubyBox::Session
.
The workflow that you're attempting isn't designed for an Authorization Code oauth grant type (the kind where a user of your application explicitly authorizes access to some protected resource they own, and you exchange an authorization code for an access token). It appears that it's designed for the Client Credentials authorization grant. That is, you're just getting a token based on your client key and client secret, where the authorization to access protected resources is implicit after you've authenticated your client.
Edited to add: if you want to authenticate your users via Box, you should have a look at omniauth-box instead, which will help you easily implement the authorization code oauth flow and will play nicely with devise.
So it appears that the documentation you're following isn't designed for the use case you have in mind. But as for the sessions, yeah, the session
helper in a Rails controller refers to the users's session data that is persistent across requests, not a RubyBox::Session
object.