I create an app using two devise model, user and admin.
I'm following the devise wiki from this link, I'm using the option 1
How To: Add an Admin Role
So I open two page at the same time, the user login page and the admin login page.
When I login in the admin login page it succeed but when I login on the user page it raise an error ActionController::InvalidAuthenticityToken same goes with the other way.
But if I refresh the page first then I login it will succeed.
Are they using the same AuthenticityToken? So when the admin logged in, the AuthenticityToken is changed so when I try to login with the user it raise an InvalidAuthenticityToken?
Thanks.
The behaviour you are seeing is expected.This is because the value of csrf token changes once you sign in,expiring the old value.
There is a workaround to disable CSRF protection for the sign_in action in the ApplicationController. Look here: https://github.com/plataformatec/devise/issues/3102
Related
I have a rails application which uses devise for authentication. when the application sends any notification to the user, then in order to see the notification or messages i provide a link to my rails application which redirects to a login page.
how can i avoid this login process, means i don't want the user to be asked to login by entering email and password, instead whenever the user clicks on that link, then the user should automatically login.
Devise provides sign_in controller helper which allows you to pass authentication programmatically.
sign_in(user)
I'm trying to have a login and register form on one page with devise. But how can I redirect back to the common page when there is an unsuccessful try to login or register? It i being redirected to the appropriate login or register specific page.
Thanks
Use case: User fills out a form to add a product and register at once. When the user has submitted the combined form, the app authenticates the user and is logged in (assume validations passed) without the need to confirm or login.
I've removed the confirmable feature out, but when the user fill out the form, it succeeds, but the user doesn't get logged in unless they go to a login form. This isn't such a great experience, so is there a way to Register a user and immediately log them in?
What I actually wanted was sign_in(#user) from my controller
If you want to login without confirmation then Remove :confirmable option from devise options in User model.
I'd like to override the way Devise currently handle the login flow. I don't need/want /users/sign_in, I just want to use my own root_path for login handling, i.e. logging user in and handling failed password entries.
I have successfully created the form which logs in, but if an user fails to put his/her password correctly, he/she being redirected to /users/sign_in. How to make sure I keep on the same action and handle failed passwords?
This is probably what you're looking for: https://github.com/plataformatec/devise/wiki/How-To:-Change-the-default-sign_in-and-sign_out-routes
I use devise with module TokenAuthentication
And it is ok when I unauthenticated and I follow link with ?auth_token= part. Like this:
I follow link: /orders?auth_token=q2a8w6virARzv6B2C1vR where q2a8w6virARzv6B2C1vR is authentication_token of user1. And now I logged in as user1.
But when I logged in as some user via email\password and common sign_in page and then follow such link with auth_token with another user token I unexpectedly stay logged in as first user.
Like this:
I sign in via sign in page. I
fill in email and password of user2.
And now I logged in as user2
I follow link:
/orders?auth_token=q2a8w6virARzv6B2C1vR
where q2a8w6virARzv6B2C1vR is
authentication_token of user1. And I
still logged in as user2 instead of
expected user1.
Is it bug? And what is the best practices to change this behavior to force replace authentication via token?
Rails 3.0.6
Devise 1.2.1
you did uncomment :token_authenticatable in your user model, correct?
Let's do some question necromancy...
Before running stragegies (token_authenticatable, database_authenticatable) Warden first checks if user is already set in current session.
This happens in: https://github.com/hassox/warden/blob/3d653371a2ff594d9965c1dde642c98cd8485e15/lib/warden/proxy.rb#L212
Is action responding /orders query supposed to use only token auth? If so, you can add: before_filter: reset_session (before authorize_user) so that Warden failed to unserialize user from the session and was forced to perform authentication.
[EDIT]
This issue ticket contains reasonable solution: https://github.com/plataformatec/devise/issues/1644