After sign in, any access-token is valid with correct client

[parkerleblanc01]

After signing in using email authentication the resulting client will work with any access token until there is a ~5 second gap between requests.

For example, if I sign in, grab the client from the header and quickly make a request with a bad access token, '123', I will be able to access any point that requires authentication for the next ~5 seconds. If I continue to repeatedly make calls to the api, this access will continue indefinitely.

• Version: 1.1.3

• Request and response headers: client, access-token, expiry, toke-type,

• Rails Stacktrace: this can be found in the log/development.log of your API.

• Environmental Info: Same as reference implementation

• Routes: api/v1/auth, api/v1/resource

• Gems: Default ruby 6.0.2.2 gems
  source 'https://rubygems.org'
  git_source(:github) { |repo| "https://github.com/#{repo}.git" }
  ruby '2.7.1'
  gem 'rails', '6.0.2', '>= 6.0.2.2'
  gem 'pg', '>= 0.18', '< 2.0'
  gem 'puma', '4.1'
  gem 'bootsnap', '>= 1.4.2', require: false
  gem 'devise_token_auth'
  gem 'rswag-api'
  gem 'rswag-ui'
  group :development, :test do
  gem 'byebug', platforms: [:mri, :mingw, :x64_mingw]
  gem 'rspec-rails', '4.0.0'
  gem 'rswag-specs'
  end
  group :development do
  gem 'listen', '>= 3.0.5', '< 3.2'
  gem 'spring'
  gem 'spring-watcher-listen', '2.0.0'
  end
  gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]

• Custom Overrides: None

• Custom Frontend: None, just an API

[frolovdev]

Same here, also test from the documentation is failed (deny access to a restricted page with an incorrect token)

https://devise-token-auth.gitbook.io/devise-token-auth/usage/testing

[frolovdev]

@MaicolBen excuse me, any updates on such problem?

[MaicolBen]

I cannot reproduce this error, can you tell me which endpoints is letting you in with an invalid token?

[parkerleblanc01]

I've gone through and tried to reproduce the error myself and can't. @frolovdev any luck?