What do you do when your redirect doesn’t go where you tell it?

Clearly I’m missing something.

I stepped through the code, following the failure path of Sheogorath’s Recaptcha. It fails as expected, and hits this redirect before doing anything else:

`return redirect_to new_user_session_path`

I verified that this redirects to the “/users/sign_in” path, and it returns so the server doesn’t even try to authenticate the user. It just nopes out as it should to prevent timing attacks.

But somehow instead of doing that and redirecting as it should, it signs the user in and redirects somewhere else entirely: the role select page, which only happens after authenticating an admin user. It never even hits my breakpoint after the recaptcha check! It never authenticates!

I think what I’m missing is my old reality where things made sense.

  • 2
    @M1sf3t You’re right. I’m also missing rum.
  • 1
    Can you ever hit where it is redirecting without going through sign in procedure?
  • 1
    Seems like a possible two paths that code is taking. One signs in user sets the session. The other yours does what is supposed to but gets bumped out by other route.

    It's there any other functions being called right at submit?
  • 1
    @superposition No, but your second point is more likely.

    I’m adding a call to my Recaptcha wrapper within a Devise view and controller. I don’t know what Devise does under the hood, or honestly, even how it works. I avoid Devise like the plague because it’s so magical and difficult to use/debug, and invariably a gigantic pain. So I’m assuming that’s actual cause. Devise is probably catching the post, calling the authentication method defined in our application, and then running its own code which then authenticates the user.

    But I don’t know how to go about debugging it, either.

    The only experience I have with Devise is a) leaving it alone and avoiding it, and b) ripping it out of several applications because the development cost was lower that way.
  • 2
    It was fucking Devise.

    It’s intercepting the signin POST, authenticating the user, and only then running the signin method our application defines. It also overrides my redirect somehow. It’s treating our signin method like an “after_signin” hook.

    So the solution?
    Sign the user out, then redirect.

    Bloody fucking Devise.
Add Comment