I am using Rails 5 and Devise.
I have a form which can be accessed by anyone. The POST action URL however can only be accessed by signed in users.
before_action :authenticate_user!
So if a user is not signed in Devise automatically redirects to the login form, where the user can login or even create a new account. After doing that Devise automatically redirects to the POST URL and the posted data is still available.
So my questions is where in the code of the GEM is Devise handling and storing the redirect URL and POST data.
Related
We have a pretty standard React-Rails app with (prerender = true) (following this tutorial and his accompanying repo). We're currently using the Devise gem to implement users. However, right now after a successful login and the user is redirected to the home page (as is the default with Devise - we made no changes there) the user session is not persisted, meaning the user is logged out by the time the homepage is reached, according to the user_signed_in? function provided by devise.
Any suggestions?
I'm using devise_token_auth(https://github.com/lynndylanhurley/devise_token_auth) for authenticating mobile devices and I also need to use devise for my web app.
The problem is that a user can sign up through devise_token_auth but if the user signs in and tries to call certain function in a controller which contains "before_action :authenticate_user!", I get an error saying Authorized Users Only.
I wonder if there's a way to use devise and devise_token_auth together.
code:
class RestrictedController < ApplicationController
before_action :authenticate_user!
def stuff
head :ok
end
end
First, you should know that devise is no longer managing user's session. This why it is advised to use devise_token_auth.
Whenever you specify before_action :authenticate_user! on a Controller, all actions(like RestrictedController#stuff) would require the user to be signed in. devise_token_auth expect to receive in the query header 4 params listed below.
Here is what you need to do:
Sign in using the route provided by devise_token_auth.
If sign in succeeds, you'll receive in the header an access-token, a client, a token-type and a uid.
Whenever you'd like to run a controller action where user has to be signed in, specify, in the query headers, the access-token, the client, the token-type and the uid
I have set up Ruby on Rails and Devise using code from here
Email logins and Facebook login were all working fine. However, once I configure :confirmable (which creates confirmation emails and user have to click on a URL), Facebook login no longer works. It says Completed 401 Unauthorized in the RoR logs, even though it managed to get a token.
Is there some missing configuration for this to work?
The token doesn't care. Devise only checks for the confirmed_at attribute.
But you can just override the confirmation for certain users.
In your user.rb model:
protected
def confirmation_required?
facebook_token.nil? # replace with your own logic.
end
I was looking at another article on stack overflow. I basically did a skip_confirmation! which is defined in Confirmable.
I am using Omniauth and Devise to implement social login (Linkedin and Facebook) on a Rails4 website.
I want to be able to auto-login to user who has already logged in before on the browser (Same as facebook does: http://facebook.com)
I understand that this could be done by placing a cookie on the user with their user id and then use that on landing page to login the user.
However I feel this is such a common use case that Devise or some other Gem might already exist that does it cleanly ?
Devise has a module Rememberable, which allows you to remember a logged in user.
Just add :rememberable to the devise method in your User model.
I am using Devise gem for web authentication in my Application.
Now i am about to write a mobile app for my Application which includes Sign in / Sign up process.
What is the correct way i should use to sign in a user and authenticate each call made by the user from the mobile app?
Which of the below strategy is correct? (i am not sure which method to follow to be more secure)
Note : You can view the above image in http://i.stack.imgur.com/I13uT.png (will be more clear)
FYI : I am using Titanium to develop mobile app and my backend server runs Rails app
Model #1 isn't secure, you aren't passing any sort of authentication on subsequent requests to validate that the user is still who they say they are.
What I'm presuming you really want to know is, what's the best way to verify the user is who they say they are, after logging in. I've answered this previously, Exposing Rails/Devise Authentication to iOS application and the same answer applies here.
Using token authentication in Devise will match model #2, and is also the most secure since you exchange the username/password for a token rather than having to store their username and password and reuse it with every request.
I'm not sure how #1 is secure at all since none of the subsequent requests are signed in any way. If someone knew the file structure of your app they could just access it that way, right?
With Devise, you can set an attribute on your User model to allow users to be authenticated via token:
class User < ActiveRecord::Base
devise :token_authenticatable
# there are other details and options on this, but this is the relevant piece
end
On each controller you can also verify that the user is authenticated by including before_filter :authenticate_user! at the beginning:
class PostsController < ActionController::Base
before_filter :authenticate_user!
end
When making requests from the mobile app, include the auth_token in the request so that the Rails app can authenticate before responding.
Beyond authentication, you may also be interested in something like CanCan to handle authorization as well.