Help with figuring out session resets on JSON login and account creation flows

[FelipeBodelon]

So far so good implementing a hybrid Rails + SPA auth system. There is some key features for my use case that I can't figure out yet. I have an authentication authorization layer which uses rodauth.authenticated? for checking if the current session reflects an authenticated user. For the SPA frontend I just fetch the session data whilst including credentials on the request, and for the Rails views I just redirect to the SPA for auth.

I can handle the "redirect back" after authentication on frontend routes (fully client side) but I'm missing this for trying to access views on RoR. My attempted solution is to store the attempted route on the session, since my cookie shares a common domain with the SPA then sharing the session through frontends is not an issue. So, when trying to access a protected route I set a session value but after a successful authentication flow (login or account creation) the session is reset (I think) and my return_to session value no longer exists.

My instincts believe that a new session is being created when logging in, is there a way to persist and update the session instead? Or can I assign new session values based on the reset session? Does this sound like a correct way to handle this? I've thought of including the redirect url or path through the url (query params) but it would be a bit ugly since my auth flows go through multiple routes and it sounds insecure to redirect attacks.

Edit: Digging in a bit more I found out that on login the session is being cleared. This would be a rodauth thing rather than a rails-rodauth feature, tho I lack the knowledge about the internals to figure out if it's ok to avoid resetting the session. Does the omniauth login follow the same logic?

[janko]

Rodauth resets the session after login because it's a good general security practice, as it should prevent session hijacking. Did you try using Rodauth login's native functionality for returning to originally requested location, turned on by setting login_return_to_requested_location? true? Though JSON API will not show redirect locations, so you'd have to expose it in the JSON response, something like:

login_return_to_requested_location? true
login_response do
  json_response[:return_to] = saved_login_redirect if saved_login_redirect
  super()
end

[FelipeBodelon]

That's great, thanks Janko! Will probably make use of this setting. Honestly really surprised with the flexibility and extensibility of both rodauth and rodauth-rails, though honestly I still struggle a bit with learning this stuff with the current documentation. Let me know if I can help in any way towards improving the available resources.

[janko]

Yeah, Rodauth documentation could definitely use improvement, especially from someone learning it for the first time. Feature docs are mainly API docs, they're often lacking examples of common use cases. At this point I'm so familiar with Rodauth source code that I barely even check documentation, so my point of view is limited.