Removing a Warden strategy - how to ensure original devise_authenticable strategy is gone

Question

I created my own Warden strategy for using with Devise. It's very similar to Devise::Strategies::DatabaseAuthenticatable and actually it inherits from it and re-implements authenticate!

My issue though is that I want to make sure the original devise_authenticable Warden strategy is gone. That is not in the list of strategies Warden will try because it's actually a security problem. Is that possible?

Answer 1

According to my manual inspection and tests, this in the devise.rb initializer achieves the goal:

config.warden do |manager|
  strategies = manager.default_strategies(:scope => :user)
  strategies[strategies.index(:database_authenticatable)] = :alternative_strategy
end

And the strategy is implemented this way (not part of this question, but I found conflicting information out there and this one is the one that worked for me using Rails 3.1, devise 1.4.7 and warden 1.0.5):

class AlternativeStrategy < Devise::Strategies::Authenticatable
  def authenticate!
  end
end
Warden::Strategies.add(:alternative_strategy, AlternativeStrategy)

Answer 2

I just implemented this as well. Devise will try each strategy in its list until one succeeds.

For me, rather than replace the :database_authenticatable strategy in place, I just added my strategy to the beginning of the list and popped :database_authenticatable off the end of the existing list.

config.warden do |manager|
  # Exiles::Devise::Strategies::BySite implemented in lib/.  It matches the stub in Pablo's answer
  manager.strategies.add( :by_site_auth, Exiles::Devise::Strategies::BySite )

  # add my strategy to the beginning of the list.
  manager.default_strategies(:scope => :user).unshift :by_site_auth

  # remove the default database_authenticatable strategy from the list
  manager.default_strategies(:scope => :user).pop
end