Replies: 1 comment 2 replies
-
|
I'm assuming Jeremy designed it that way for consistency, so that you can read JWT tokens even if the data is empty (= user is not logged in). For the I believe you could skip it by overriding set_jwt_token do |token|
next if request.path == reset_password_request_path
super(token)
end |
Beta Was this translation helpful? Give feedback.
-
|
Isn't the access token providing credentials for a user to make authorized requests in my application? Why would it return a JWT if the user is not logged in? If I'm understanding it right, the |
Beta Was this translation helpful? Give feedback.
-
Again, I cannot speak for Jeremy's design decisions, but maybe it's there to differentiate the response that logs the user out (returns token with empty data) and the one that keeps the user logged in but doesn't update any data (returns no token)? There are other scenarios that can log the user out besides
That's correct 👍🏻 |
Beta Was this translation helpful? Give feedback.
-
Why does JWT authentication always return access tokens to Rodauth routes? Is there a way to limit which routes it returns a JWT from?
For example, when I call
forgot-password-requestwith an email when using JWT auth, it returns an access token for the email I am requesting a password reset email for, which I can then use in subsequent requests as anAuthorizationheader.Beta Was this translation helpful? Give feedback.
All reactions