Hi. Thank you very much for putting this module together.
I am a total sinatra/padrino n00b (I have some ruby experience, but certainly not a super expert). I'm trying to wrap my head around how to build out my website using warden for authorization/authentication. I understand how to install the gem and put the code into my padrino project. And I understand how to use the authorize! method in my controllers to restrict access to pages. But I'm confused about how I set things up for login workflow. I created a login view and that is successfully being shown when an authorize! check fails. But if I try to log in with an incorrect password, I'm not brought back to the login page itself, but rather to some page I don't have implemented (and I believe it's trying to look for it in a different app within my project -- but I don't understand this because I want to display an error message on the login page itself so the user can try again, not go to some other page in some other section of my website).

Thanks for any help you can provide in how to implement the full workflow for password login and registration.

-Jordan

I tried using gem install padrino-warden, but won't install. I have github in my sources. No problem installing other gems.

I'm trying to logout via /session/logout. The user actually logout but this error appears:

NoMethodError: undefined method `[]=' for nil:NilClass
gems/rack-flash-0.1.1/lib/rack/flash.rb:62:in `[]='
gems/padrino-warden-0.1.0/lib/padrino/warden.rb:127:in `block (2 levels) in registered'
gems/padrino-core-0.9.14/lib/padrino-core/application/routing.rb:225:in `call'
gems/padrino-core-0.9.14/lib/padrino-core/application/routing.rb:225:in `block in route'
gems/sinatra-1.0/lib/sinatra/base.rb:521:in `instance_eval'
gems/sinatra-1.0/lib/sinatra/base.rb:521:in `route_eval'
gems/padrino-core-0.9.14/lib/padrino-core/application/routing.rb:475:in `block in route!'
gems/padrino-core-0.9.14/lib/padrino-core/application/routing.rb:462:in `catch'
gems/padrino-core-0.9.14/lib/padrino-core/application/routing.rb:462:in `route!'
gems/sinatra-1.0/lib/sinatra/base.rb:601:in `dispatch!'
gems/sinatra-1.0/lib/sinatra/base.rb:411:in `block in call!'
gems/sinatra-1.0/lib/sinatra/base.rb:566:in `instance_eval'
gems/sinatra-1.0/lib/sinatra/base.rb:566:in `block in invoke'
gems/sinatra-1.0/lib/sinatra/base.rb:566:in `catch'
<…>

enable :sessions exists in my app.rb

I'm getting this error. I don't know if this is a Padrino issue or a Warden issue, but I just wanted to pass it by you.

NameError at /sessions/login
uninitialized constant Padrino::Warden

I just upgraded from 0.1.0 to 0.20.1 and noticed the authorize! method is gone?! Please add a ChangeLog for users to read.

Do you have any plans on testing this gem?

The current situation right now is some settings are "special" (:auth_login_path, :auth_unauthenticated_path, :auth_logout_path, :default_strategies, :warden_failure_app), and can be safely set before register Padrino::Warden. Other settings have to be set after the register, or else during registration padrino-warden overwrites these settings, even if you've set them to some specific value.

I don't see a point to this arbitrary split, and making people either
(a) remember which settings are where ("safe", or "unsafe"; or "settable before register" vs "settable only after register")
(b) just set everything after the registration (in which case all of those protections (unless app.respond_to?) just seem pointless)
(c) read the source code to find out

I propose either make all of these settings "safe".... or else have them all not be safe, and then make a specific note about this in the documentation. Would appreciate your thoughts on this.

Could you consider updating the Gem on Rubygems from 2010 / version 0.1.0?

(https://rubygems.org/gems/padrino-warden)

I performed the following steps to test this out, using burp suite.

Capture the following requests

1. successful login through warden (which gives me a session cookie - for example session-cookie-A)
2. navigate to a page blocked by authorization (session-cookie-A sent along to authorize the request)
3. log out (which should kill session-cookie-A)

After this logout, I replay request 2, containing session-cookie-A, and I can still see the protected content, and am not redirected to a login page.
I can use this cookie to visit other protected pages as well