Add "ignore_session" option to configuration

[shatalov-boris]

ignore_session option allows to authenticate a user with strategies even if there is a user in the session:

warden.authenticate(scope: :user, ignore_session: true)

I have a controller where I want to authenticate a user only by one specific strategy.
So I write something like this:

warden.authenticate(:my_strategy, scope: :user, store: false)

It works fine until a user with a cookie sends a request to this controller. In this case, my custom strategy will be ignored and the user will be found in cookies.

I know I can achieve what I want by changing the scope. But it doesn't give a 100% guarantee. If somehow the cookie will be set for user scope - the problem will repeat.

ignore_session option gives a 100% guarantee that my strategy will be used.

It can be helpful for other people I believe. Like it can be used for API controllers where you need to authenticate a user only for some kind of token.
Currently, a user with a cookie can send requests to such controller with different tokens and these tokens will be ignored.

What do you think?

[shatalov-boris]

Hey @jsmestad, any thoughts on this?

[jsmestad]

@shatalov-boris I like the idea. I need to read through it more before we push it into master, but I think it looks good at first glance

[oehlschl]

Just wanted to second the value here. We're working to separate some overlapping auth mechanisms (both sessions and tokens being used by different legacy apps on the same domain, unfortunately), and having more control over how sessions are handled (without introducing scopes) would be a big help. Thanks!