From e903d89c8348a0fb7ba8c40cf79db16074e86971 Mon Sep 17 00:00:00 2001
From: ann_lewis <ann@pedago.com>
Date: Wed, 27 May 2015 11:41:17 -0400
Subject: [PATCH] fix(session#new): unset client_id to avoid unhandled 500
 server error caused by logging in with valid user, bad password, and
 DeviseTokenAuth.change_headers_on_each_request = false

---
 .../concerns/set_user_by_token.rb             |  9 ++++--
 .../sessions_controller_test.rb               | 30 +++++++++++++++++++
 2 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb
index 099be68f4..2e522690a 100644
--- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb
+++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb
@@ -14,7 +14,6 @@ def set_request_start
 
   # user auth
   def set_user_by_token(mapping=nil)
-
     # determine target authentication class
     rc = resource_class(mapping)
 
@@ -39,6 +38,12 @@ def set_user_by_token(mapping=nil)
     # user has already been found and authenticated
     return @resource if @resource and @resource.class == rc
 
+    # ensure we clear the client_id
+    if !@token
+      @client_id = nil
+      return
+    end
+
     return false unless @token
 
     # mitigate timing attacks by finding by uid instead of auth token
@@ -49,13 +54,13 @@ def set_user_by_token(mapping=nil)
       return @resource = user
     else
       # zero all values previously set values
+      @client_id = nil
       return @resource = nil
     end
   end
 
 
   def update_auth_header
-
     # cannot save object if model has invalid params
     return unless @resource and @resource.valid? and @client_id
 
diff --git a/test/controllers/devise_token_auth/sessions_controller_test.rb b/test/controllers/devise_token_auth/sessions_controller_test.rb
index 3c91d7ac3..7051e7648 100644
--- a/test/controllers/devise_token_auth/sessions_controller_test.rb
+++ b/test/controllers/devise_token_auth/sessions_controller_test.rb
@@ -136,6 +136,36 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
         end
       end
 
+      describe 'failure with bad password when change_headers_on_each_request false' do
+        before do
+          DeviseTokenAuth.change_headers_on_each_request = false
+
+          # accessing current_user calls through set_user_by_token, 
+          # which initializes client_id
+          @controller.current_user
+
+          xhr :post, :create, {
+            email: @existing_user.email,
+            password: 'bogus'
+          }
+
+          @resource = assigns(:resource)
+          @data = JSON.parse(response.body)
+        end
+
+        test "request should fail" do
+          assert_equal 401, response.status
+        end
+
+        test "response should contain errors" do
+          assert @data['errors']
+        end
+
+        after do
+            DeviseTokenAuth.change_headers_on_each_request = true
+        end
+      end
+
       describe 'case-insensitive email' do
 
         before do