Understanding the Clearance source code

Hi seeing as this is a Thoughtbot gem I thought I’d ask here first.

I’m reading through the Clearance gem’s source code (a habit I’m trying to get into to better my coding) and I’m trying to figure out what’s happening in the session management side.

In session.rb we have

def sign_in(user, &block)
      @current_user = user
      status = run_sign_in_stack

      if status.success?
        cookies[remember_token_cookie] = user && user.remember_token
        @current_user = nil

      if block_given?

In particular

cookies[remember_token_cookie] = user && user.remember_token

So if successful the cookie is set to the user’s remember token. But then when the request is finished and the rails app returns the result back to the rack middleware stack, clearance’s rack_session sets the cookie again like so

    def call(env)
      session = Clearance::Session.new(env)
      env[:clearance] = session
      response = @app.call(env)
      session.add_cookie_to_headers response[1] # <<- set again here

which is defined as

   def add_cookie_to_headers(headers)
      if cookie_value[:value].present?

Can anyone explain the flow?


Session gets set to Clearance::Session.new, which you can tell sets an instance variable of @cookies to nil. After running the sign in block, we return to the middleware and then set the session cookie to the value needed.

I believe the reason for this is that then other middleware and Rack applications can make use of the value.


This is the part of Clearance I’m least confident about. What I’d probably try to do is remove that line in the controller to see if any tests break. Hopefully they will and I’d be able to trace through what’s going on at that point. If they don’t then I’d have some more work ahead to see if I trust that result and if I could actually remove that and rely on the middleware entirely.

I may find some time to play with tomorrow during investment time to give a better answer.

Thanks Pedro.

The problem is getting assigned twice the users token (not a nill value) in one successful sign in request. Once in session.rb and then again in the middleware.

So I’m wondering why twice, why not just in the middleware?

That’s what I was thinking too so I’m glad you said that.

Thanks @derekprior,

by controller do you mean session.rb?