I have a rails application which uses devise for authentication. when the application sends any notification to the user, then in order to see the notification or messages i provide a link to my rails application which redirects to a login page.
how can i avoid this login process, means i don't want the user to be asked to login by entering email and password, instead whenever the user clicks on that link, then the user should automatically login.
Devise provides sign_in controller helper which allows you to pass authentication programmatically.
sign_in(user)
We have a pretty standard React-Rails app with (prerender = true) (following this tutorial and his accompanying repo). We're currently using the Devise gem to implement users. However, right now after a successful login and the user is redirected to the home page (as is the default with Devise - we made no changes there) the user session is not persisted, meaning the user is logged out by the time the homepage is reached, according to the user_signed_in? function provided by devise.
Any suggestions?
I have some questions on how Devise and OmniAuth work as I couldn't find any clarification on these one's I'm about to ask. Here I'll use Facebook as an example.
If I wanted users to be able to sign in using only Facebook and not be able to create an account, could I still use Devise? Does it still have a purpose?
If I were to go the Facebook route above, I see in my database it saves a "user" but does that user stay with that same ID or does it delete/change every time they re-sign in and they become "new users"?
What does using OmniAuth only mean for my application? It's basically the same as Devise right? Just going through a third party?
Right now, I created an app with just the omniauth-facebook gem and I'm thinking it's the same as Devise but just does the all the work for me (name, email, location, etc.) as if it was just a replacement.
The reason I ask these questions is because I don't want to end up assigning a user to a resource and it can't find him because it keeps changing the ID of said user because OmniAuth treats it like some type of sessions table (logging in) and not the actual user's table (save columns permanently). I want the the Devise functionality but to simply replace it with Facebook. I hope I'm making sense.
Thanks.
Well, Devise is an user management gem, so it will manage all your user sessions informations, password, password reset, confirmation ....
Everything that is related to registrations and login will be handled by devise.
Now if you want to add omniauth login (Facebook,Twitter,....) you have to use omniauth to take care of the login using any provider like Facebook.
Basically Omniauth allows you to link facebook users to your app users but works perfectly well with Devise.
For example when a user is created using Facebook signup it's created in the User Tables which has both devise and omniauth information. So your user will also be able to login using his email and create a password afterwards.
Facebook provide a unique ID for each user which is stored in your database, so when one user is created with Facebook login it has both an email address to use with Devise and the Facebook ID to use with Omniauth to login.
You can use both together with the same user model and manage how you want to do it.
You can for example let user to create a password after omniauth login so that they can login afterwards with either omniauth or devise.
Or you can also let existing user link their facebook account for future use.
I hope this is clear enough, if you have anymore questions let me know !
https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
Your user is your user. Omniauth provides an interface to your application which abstracts the whole Oauth protocol logic from you. But it's like this: your user signs in with his facebook account and gets a token. This token is bound to your user in your app, and that's how omniauth identifies him.
No, Omniauth is not the same as devise. Both try to address the same purpose (user authentication on your app), but while devise bundles the whole inner logic of identity provision in your app (creating an account, registering an account, registration emails, recovering an account, managing sessions, signing in, signing out...), Omniauth provides only an interface to link your user account to an authorized third-party account and access its information, and the rest you have to do yourself.
But they can work together (use devise to create accounts local to your app, use omniauth to link those accounts to third-party accounts and (maybe) fill some basic information for the user account based on his third party account, like facebook name, email, photo).
The sessions repository is independent of your users table, so there is no possibility of happening what you stated in the last paragraph.
I am trying to implement Omniauth and Devise with multiple providers in Rails 3.2 app.
One tricky scenario is: user signs in via LinkedIn for the first time. Since linkedin does not provide user email, I won't know which account I should link this linkedin credentials to. So I want to intercept the callback to prompt a popup window that allows user to enter his email or username, before passing the credentials together with email to controller.
How should I go about this?
I use devise with module TokenAuthentication
And it is ok when I unauthenticated and I follow link with ?auth_token= part. Like this:
I follow link: /orders?auth_token=q2a8w6virARzv6B2C1vR where q2a8w6virARzv6B2C1vR is authentication_token of user1. And now I logged in as user1.
But when I logged in as some user via email\password and common sign_in page and then follow such link with auth_token with another user token I unexpectedly stay logged in as first user.
Like this:
I sign in via sign in page. I
fill in email and password of user2.
And now I logged in as user2
I follow link:
/orders?auth_token=q2a8w6virARzv6B2C1vR
where q2a8w6virARzv6B2C1vR is
authentication_token of user1. And I
still logged in as user2 instead of
expected user1.
Is it bug? And what is the best practices to change this behavior to force replace authentication via token?
Rails 3.0.6
Devise 1.2.1
you did uncomment :token_authenticatable in your user model, correct?
Let's do some question necromancy...
Before running stragegies (token_authenticatable, database_authenticatable) Warden first checks if user is already set in current session.
This happens in: https://github.com/hassox/warden/blob/3d653371a2ff594d9965c1dde642c98cd8485e15/lib/warden/proxy.rb#L212
Is action responding /orders query supposed to use only token auth? If so, you can add: before_filter: reset_session (before authorize_user) so that Warden failed to unserialize user from the session and was forced to perform authentication.
[EDIT]
This issue ticket contains reasonable solution: https://github.com/plataformatec/devise/issues/1644