When i try to use the sign_up method of Devise, i get an internal server error but, after create the user.
My application.rb:
class ApplicationController < ActionController::Base
protect_from_forgery with: :null_session, only: Proc.new { |c| c.request.format.json? }
before_action :configure_permitted_parameters, if: :devise_controller?
respond_to :json
protected
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [ :username ])
end
end
Here the output,
Any ideas? 🤔
I am supplementing this with Doorkeeper, but please do not alter the operation of Devise. I also did not use Warden on my own anywhere on the app.
This issue seems to be the problem you are having:
https://github.com/heartcombo/devise/issues/4603
They suggest clearing the cookies of your browser
this usually happens when you are upgrading a bunch of stuck including
devise in one branch And than you get back to some other branch for
something and you have this newer cookie in your browser. Simple
solution is to clear cookies in browser.
Other answers mention upgrading devise version
Related
I'm trying to use Devise gem in my project. That worked, but I still have a problem:
I setup devise in my application and generated the views, but I added an extra field in the database (username). So, the thing is that I need this username, but it's not being saved in the database when I create a new user :/ The problem seems to be in the controller, but I don't know how to access it.
Do devise hide its controllers? Can I access this controller and simply add the field I want in the params, for example? Do I really need to code a new controller that will override the default one? What should I do? and how?
See doc: https://github.com/plataformatec/devise
You have to tell the devise to save extra parameters in the DB.
Your application_controller.rb file look like:
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
before_action :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:username])
end
end
I have a Rails API and I use devise for authentication. My client side is a React SPA.
I tried turning on the protect_from_forgery in my application_controller as:
class ApplicationController < ActionController::Base
protect_from_forgery with: :null_session
before_filter :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:name])
devise_parameter_sanitizer.permit(:sign_in, keys: [:otp_attempt])
end
end
But with every put/post request it throws an error:
Can't verify CSRF token authenticity
This makes sense because I am not sending back any CSRF token with my requests.
It seems like the way to do this for rails is to add <%= csrf_meta_tag %> in my application.html.erb but I am using jbuilder to convert everything to json before sending it to my SPA.
Is there a way I can access this information in the client side so I can turn on the protection for CSRF?
Context: a Rails app in production, hosted on Heroku, that has around 800 users.
Ruby 2.4.2
Rails 5.1.4
Devise 4.3.0
For some reason, I have seen a few users experience an error:
ActionController::InvalidAuthenticityToken
[GEM_ROOT]/gems/actionpack-5.1.4/lib/action_controller/metal/request_forgery_protection.rb:195
For requests to POST /students/:id/registrations.
It is intermittent, and very few users experience the error.
Clients are Safari 11.0 on iPads.
ApplicationController:
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
before_action :authenticate_user!, unless: :devise_controller?
before_action :restrict_from_students, unless: :devise_controller?
# ...
end
RegistrationsController:
class RegistrationsController < ApplicationController
skip_before_action :restrict_from_students, only: :create
# ...
end
Is there some scenario (re-POSTing the request, auth timeout but submitting, lack of JS) that would cause this? I cannot seem to reproduce it.
I was having a similar issue.
Use rescue_from in the application controller and redirect somewhere useful with a notification. In my case I attempt to redirect the user back to where they were to reattempt their action, or to the home page as a fallback.
Example for rails 5:
class ApplicationController < ActionController::Base
rescue_from ActionController::InvalidAuthenticityToken,
with: :handle_invalid_token
def handle_invalid_token
redirect_back fallback_location: root_path,
notice: 'Stale session detected'
end
end
Thanks to the rubber duck, I have reproduced the issue.
Sign out
Go "back" to the cached app UI.
Click the button to generate a POST request.
Observe the exception.
The solution here is to use rescue_from to likely redirect the user to the sign in page.
Thank you rubber duckie!
I am working on a Rails 5 api project which is used by mobile client with gem devise_token_auth for authorization.
I am clear about what the warning means.
1st Question: CSRF protect should be turned OFF for api(JSON/XML)respond, correct?
I searched some on web it seems CSRF just happens on web application with cookie. But i read this from rails api document:
It's important to remember that XML or JSON requests are also affected >and if you're building an API you should change forgery protection >method in ApplicationController (by default: :exception):
class ApplicationController < ActionController::Base
protect_from_forgery unless: -> { request.format.json? }
end
So i still get the warning by adding like this:
class ApplicationController < ActionController::Base
protect_from_forgery unless: -> { request.format.json? }
include DeviseTokenAuth::Concerns::SetUserByToken
end
2nd Question: If API doesn't need CSRF protection, why
protect_from_forgery unless: -> { request.format.json? }
doesn't work?
Not sure if i understood something wrong. Thank you!
the code should be:
protect_from_forgery with: :null_session, if: ->{request.format.json?}
You might have to use null_session for API, it provides an empty session during request but doesn't reset it completely. Used as default if :with option is not specified.
I set up Devise for authentication on a rails 4 app. I tested sign up, sign in and edit forms. Everything worked fine.
Then I needed a form to get additional inputs from users. So I created new user routes to allow me to update/edit user records. Now my devise edit user form doesn't do anything when I click on submit.
I'm guessing this is because of some clash with the new routes but I could be wrong. Should I check something else?
my routes:
devise_for :users
resources :users, only: [:update, :edit]
demo app at http://mktdemo.herokuapp.com/users/edit - Sign in as test#test.com pwd: test1234.
application controller:
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
before_action :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) << :name
devise_parameter_sanitizer.for(:account_update) << :name
end
end