Today I've had about 10 bot accounts created on my Rails 7 app hosted on fly.io!
I feel I've followed all the steps to install and configure the invisible captcha gem but I can't get the timeout to trigger with a 400 second timestamp threshold.
I am able using the confirmable option with Devise where the users are sent a link to confirm their accounts before they can access the site.
I am using TomSelect JS to allow new users to choose a role when creating a new account, not sure if that's affecting anything.
When I inspect my sign up form I am able to see the hidden field that is generated with the <%= invisible_captcha %>:
<div class="akycjhmgilspxv_1669858439"><style media="screen">.akycjhmgilspxv_1669858439 {position:absolute!important;height:1px;width:1px;overflow:hidden;}</style><label for="akycjhmgilspxv">How often do you go out dancing?</label><input type="text" name="akycjhmgilspxv" id="akycjhmgilspxv" autocomplete="off" tabindex="-1"><input type="hidden" name="spinner" id="spinner" value="0427cfe9c26b1956983b7f12163dbb94" autocomplete="off"></div>
My routes.rb:
devise_for :users, :path => '', :path_names => { :sign_in => "login", :sign_out => "logout", :sign_up => "register" }, controllers: { registrations: 'users/registrations' }
devise_scope :user do
match '/register.user', to: 'devise/registrations#create', via: :post
end
My config/intializers/invisible_captcha.rb, note the timestamp threshold of 400!
InvisibleCaptcha.setup do |config|
# config.honeypots << ['more', 'fake', 'attribute', 'names']
# config.visual_honeypots = false
config.timestamp_threshold = 400
# config.timestamp_enabled = true
# config.injectable_styles = false
# config.spinner_enabled = true
# Leave these unset if you want to use I18n (see below)
config.sentence_for_humans = 'How often do you go out dancing?'
config.timestamp_error_message = 'Something went wrong, please try again.'
end
And my registrations controller:
class Users::RegistrationsController < Devise::RegistrationsController
# before_action :configure_sign_up_params, only: [:create]
# before_action :configure_account_update_params, only: [:update]
invisible_captcha only: [:create]
I am making sure that I restart my server with all these changes but I'm still able to create an account even though the timestamp threshold is at 400.
Should I just hope the bots fill out the hidden field each time?
Related
Good evening how could I cancel or delete these 2 routes, I also want to know how I can redirect to another site if I am not logged in
enter image description here
You can remove the routes by using skip, then specify the routes you still use. something like this:
devise_for :users, :skip => [:sessions] do
delete "/logout" => "devise/sessions#destroy", :as => :destroy_user_session
post "/admin" => "devise/sessions#create", :as => :user_session
end
Devise already have a feature for auto redirect. Go to application_controller.rb and add this before_action :authenticate_user!
I'm not 100% sure this works now that we've disabled the default session paths. The alternative is to create our own method to override it in application_controller.rb
Something like this:
protected
def authenticate_user!
if user_signed_in?
super
else
redirect_to login_path
end
end
I have Rails 5 with Devise with Ajax login/registration and I want to remove GET requests for these two actions. The default sign_in/sign_up routes are changed. This is my routes.rb:
devise_for :users, :path => '', :path_names => { :sign_in => "login",
:sign_out => "logout", :sign_up => "registration" },
:controllers => {:sessions => 'sessions',
:registrations => 'registrations'
In sessions_controller.rb and registrations_controller.rb you can check the request type and return 404 if it's a GET request:
If you haven't monkey-patched your devise controller already, create the directory app/controllers/devise and add the file registrations_controller.rb to it:
class Devise::RegistrationsController < DeviseController
prepend_before_action: :check_get_request # you can limit it to certain actions with only: [:new, etc.]
private
def check_get_request
if request.get?
# respond with 404 or 422, or whatever
else
super
end
end
end
Same goes for sessions_controller. You might break something by disabling all GET requests, but you can target specific actions if need be: For reference: https://github.com/plataformatec/devise/blob/master/app/controllers/devise/registrations_controller.rb
and: https://github.com/plataformatec/devise/blob/master/app/controllers/devise/sessions_controller.rb
Because I am using custom registration_controller and sessions_controller I just override the methods which show registration/login pages. Both methods are show. I add to both custom controllers this method:
def new
raise ActionController::RoutingError.new('Not Found')
end
which returns 404, if someone navigates to registration or login URL, but POST request works fine.
I am currently using https://github.com/thoughtbot/clearance
for authentication.
It allows me to sign-up & sign-in using password and email.
But I was wondering how I can configure it to have a CRUD pages for the generated users model, because I actually want to see a list of registered users.
You can use a regular Users controller, subclassed from clearance.
class UsersController < Clearance::UsersController
def index
#logged_in_users = User.where(blah) #whatever logic you need to retrieve the list of users
end
end
I created my Users controller first, then ran the clearance generator, and then the routes generator. After generating the default routes, you can modify to point to your own controller.
rails g clearance:install
rails g clearance:routes
resources :users, controller: "users" do
resource :password,
controller: "clearance/passwords",
only: [:create, :edit, :update]
end
get "/sign_in" => "clearance/sessions#new", as: "sign_in"
delete "/sign_out" => "clearance/sessions#destroy", as: "sign_out"
get "/sign_up" => "clearance/users#new", as: "sign_up"
I have a problem with the devise gem, I have this controller.
class AdminController < ApplicationController
before_action :authenticate_user!
def index
end
def per
end
def po
end
end
When redirect to sign_in form , shows nothing
sign_in form
These are my routes:
match 'po' => 'admin#po', :via => :get
match 'per' => 'admin#per', :via => :get
match 'admin' => 'admin#index', :via => :get
match 'admin/index' => 'admin#index', :via => :get
match 'admin/per' => 'admin#per', :via => :get
match 'admin/po' => 'admin#po', :via => :get
devise_for :users, :controllers => { :omniauth_callbacks => "callbacks" }
root 'home#index'
I have three templates: application, admin and home
I overwrite the default route after log in
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
#before_action :authenticate_user!
def after_sign_in_path_for(resource)
#request.env['omniauth.origin'] || stored_location_for(resource) || admin_path
admin_path
end
end
My last gem installed:
gem 'bootstrap-sass'
You need to run the generator for Devise views which will copy the necessary files in your views folder:
Run:
rails g devise:views
There is more information on configuring the Devise views here
Your problem probably isn't with Devise, it looks systemic to me.
#config/routes.rb
namespace :admin do
root "application#index" #->
resources :model_controller, path: "", only: :index do #-> url.com/admin/...
collection do
get :po #-> you shouldn't really have this
get :per #-> you shouldn't really have this
end
end
end
devise_for :users, :controllers => { :omniauth_callbacks => "callbacks" }
This will give you the following:
#app/controllers/admin/application_controller.rb
class Admin::ApplicationController < ApplicationController
before_action :authenticate_user!
def index
# do something here
end
end
This gives you the ability to create a custom "dashboard" type page for your admin area, from which you'll be able to use controllers bound to models.
Your po and per actions really shouldn't be there - they are not part of the CRUD system
In regards to your Devise views, the other answers are correct in that you would be best to generate the Devise views in your app:
rails generate devise:views
This won't solve your problem (hence why I downvoted the other answers). It will simply put the views in your app. It will do nothing apart from put code in a different place.
You will need to debug the issue:
Check the action you're seeing at /users/sign_in
Check the code in the <body> tags (which you haven't shown)
If the HTML is there, there will be some other issue preventing it from loading
If there is no HTML, it will likely mean a problem with the core of Devise
What I would recommend you do is the following:
Generate your views
From your screenshot, show us the contents of the <body> tag
Screenshot your console log (this will show any errors)
Update your question with the above
This will give you a much clearer perspective on what the potential issue will be, and allow other community members to better define the solution.
I have a Rails app that acts as a backend for an iOS app. It was developed by a third party, and I've never used Rails, so trying to learn as I go here. I want to make the app web-accessible for users, with a homepage front-end for giving prospective users some info about the app.
Sounds easy enough, but the app is using Devise for user authentication and when I hit the site root I get the following error message:
You need to sign in or sign up before continuing.
In the routes.rb file I have the following:
root :to => "visitors#index"
devise_for :users
resources :users
In my visitors controller I added a before_filter to try to open up the site index:
class VisitorsController < ApplicationController
before_filter :authenticate_user!, :except => [:index]
end
but this made no difference. Is there something obvious I'm missing here, or some concept that I'm not grasping? Basically I want a user to hit the site homepage, then click on a 'Login' link, after which they'll have access to the rest of the site.
EDIT:
My ApplicationController:
class ApplicationController < ActionController::Base
respond_to :html, :json
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :null_session, :if => Proc.new { |c| c.request.format == 'application/json'}
before_action :configure_permitted_parameters, if: :devise_controller?
acts_as_token_authentication_handler_for User
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) << :name
devise_parameter_sanitizer.for(:account_update) << :name
end
end
From Devise's how to guide which seems to describe your example. You can create two roots in your routes.rb file. One for authenticated user's and one for non-authenticated users:
authenticated :user do
root :to => 'visitors#some_action', :as => :authenticated_root
end
root :to => 'visitors#index'
However, please post your ApplicationController because your example code should work, the issue may be there.
In case anyone else has the same problem - the culprit was the following line in application_controller.rb:
acts_as_token_authentication_handler_for User
It's part of the simple_token_authentication Gem (https://github.com/gonzalo-bulnes/simple_token_authentication)
To fix enable anonymous access to the root page, I changed it to the following:
acts_as_token_authentication_handler_for User, :except => [:index]