I have an ember app accessing a Rails API with devise for authentication, more or less following the ember-auth-demo github project.
Everything works, but in my testing I've noticed that if I sign in and out and then try to register a new account, rails complains with:
Filter chain halted as :require_no_authentication rendered or redirected
Completed 302 Found in 2ms (ActiveRecord: 0.2ms)
Googling has revealed that this is to prevent authenticated users from creating new accounts, which seems like a sound policy I shouldn't necessarily circumvent.
However, it's curious because my front-end ember app is not in an authenticated state. Looking at my local cookie store, remember_token is successfully destroyed on signout. However the session cookie is still hanging around. If I manually destroy that, then everything is back to working as expected, the user is not considered authenticated by the back-end app and processes the request normally.
For brevity, the relevant files are in this gist: https://gist.github.com/DVG/5975064 , but my sign_out functions are here:
#EmberAuth Signout Method
App.ApplicationController = Ember.Controller.extend
signOut: ->
App.Auth.signOut()
App.Auth.destroySession()
#Rails SessionsController#destroy
def destroy
return missing_params unless params[:auth_token]
resource = resource_class.find_by_authentication_token(params[:auth_token])
return invalid_credentials unless resource
resource.reset_authentication_token!
render json: {user_id: resource.id}, status: 200
end
