RoR: Devise / OAuth2 Conflicts?

Question

As a RoR newbie, I'm using the rails-stripe-membership-saas code (https://github.com/RailsApps/rails-stripe-membership-saas) for my application's base (using Devise for authentication) and attempting to integrate into it the ruby-box gem (https://github.com/attachmentsme/ruby-box) for access to the Box API.

I'm running into what I believe to be conflicts between the Devise session and the subsequent ruby-box (OAuth2) session. My user model contains:

# :omniauthable
devise :database_authenticatable, :registrerable, :recoverable, :rememberable, :trackable, :validatable

After a user logs in, I'm redirecting them to Box to allow them to grant access to my application. This is handled in my application_controller and currently works as such,

def after_sign_in_path_for(resource)
    case current_user.roles.first.name
      when 'silver'      
        require 'ruby-box'
        session = RubyBox::Session.new({client_id: '###',
        client_secret: '###'})
        authorize_url = session.authorize_url('https://myurl.com/auth/box')     
    end
  end

Once the user grants access to my app, they are redirected to my Box controller (auth/box), where I'm attempting to get the access token from Box based on the code they provided in the redirect,

class BoxController < ApplicationController
  def new
    @token = session.get_access_token('code-returned-to-redirect_url')
  end
end

This is when I run into the issue, getting the error:

undefined method 'get_access_token' for #<Rack::Session::Abstract::SessionHash:0x0000003b4cf00>

I can only assume that in calling "session" its not able to distinguish between the current user session and the Box session? How can I correct for this?

Thanks for your time and assistance.

Answer 1

I'm not particularly familiar with ruby-box, but it appears that their Session class is confusingly named. The Rails session object, accessible from controllers, is a way of managing persistent state across requests for a user -- a typical use of the word "session." But a ruby box session is nothing of the sort; it appears to just be a plain old ruby object with an API for making oauth authorization requests to ruby box.

The key is that there is no persistence of any RubyBox::Session object between requests. So when you redirect the user after sign in, the local variable session you created in after_sign_in_path_for is no longer available. So when you refer to session in your BoxController, you're getting an actual session object, not a RubyBox::Session.

The workflow that you're attempting isn't designed for an Authorization Code oauth grant type (the kind where a user of your application explicitly authorizes access to some protected resource they own, and you exchange an authorization code for an access token). It appears that it's designed for the Client Credentials authorization grant. That is, you're just getting a token based on your client key and client secret, where the authorization to access protected resources is implicit after you've authenticated your client.

Edited to add: if you want to authenticate your users via Box, you should have a look at omniauth-box instead, which will help you easily implement the authorization code oauth flow and will play nicely with devise.

So it appears that the documentation you're following isn't designed for the use case you have in mind. But as for the sessions, yeah, the session helper in a Rails controller refers to the users's session data that is persistent across requests, not a RubyBox::Session object.