So I have a Rails application using Devise, and I'm a little confused as to how Devise Rememberable works. I have :rememberable enabled in my User model. When I go to log in WITHOUT checking the Remember me? box, I'm still logged even after a browser close AND a computer restart.
If this is a case, what is the point of rememberable? Am I missing something?
Thanks!
Removing expire_after: 504.hours from config/initializers/session_store.rb seemes to have solved the problem, rather than removing the file altogether.
Source: how to clear devise session on browser close?
Related
In Rails 6.0.3.1 Is there a way to natively set the Rails session cookie same site attribute without resorting to using a gem such as the secure headers gem?
Throw this before_action in your ApplicationController:
response.headers['SameSite'] = 'Lax'
Edit: my answer was for Rails 5.2, and wrong. Setting same_site: :lax in your session_store.rb file does work.
I don't have a solution to my specific problem so I upgraded my application to use Rails 6.1 which has a new initializer file called new_framework_defaults_6_1.rb which has the following. self explanatory comments that solve my issue.
I do NOT believe that every single Rails application should upgrade to Rails 6.1 to solve this and Rails team need to solve this urgently so I am posting my answer but not accepting it in the hope that someone may have a more appropriate answer for anyone else looking to solve this.
# Specify cookies SameSite protection level: either :none, :lax, or :strict.
#
# This change is not backwards compatible with earlier Rails versions.
# It's best enabled when your entire app is migrated and stable on 6.1.
Rails.application.config.action_dispatch.cookies_same_site_protection = :lax
I'm trying to setup Rails_admin with devise in order to force authentication to go into the admin panel but I'm getting unauthorized messages and being redirected to the login page.
I've done this kind of integration between Devise and Rails_Admin before and didn't have any problem but this time I'm getting a lot of troubles with it. Any idea of what might be happening?
Thanks in advance
config.authenticate_with do
warden.authenticate! scope: :user
end
config.current_user_method(&:current_user)
I had the same problem. Changing the session_store key fixed the problem for me.
# config/initializers/session_store.rb
# Be sure to restart your server when you modify this file.
Rails.application.config.session_store :cookie_store, key: '_changed_key_session'
This comment helped me to find this solution : https://github.com/activeadmin/activeadmin/issues/2957#issuecomment-49748165.
I'm pretty new to rails and I'm beginning with rails-api.
Right now i'm trying to add authentication through doorkeeper using resource owner password credentials.
But when im going to the /oauth/applications page to set a new app to add my frontend for exemple, i get an error about an authenticity token:
ActionController::InvalidAuthenticityToken in Doorkeeper::ApplicationsController#create
As it's a page implemented in the doorkeeper gem itself, isn't it suppose to work by itself?
Does any one know what's going on and how to solve it?
Thank you guys
This is due to the forgery protection enabled by default by rails.
If you're working on an API only, my guess is that you can simply turned it off in the environment file (test/developpement/production.rb) by adding this line :
config.action_controller.allow_forgery_protection = false
Cheers.
It's an incompatibility with rails-api and doorkeeper.
My project are being started and based on this and other things, I've chose grape instead of rails-api. It works for me!
If you can do this, I can't help you now!
tip: Enjoy with grape!
In order to let users signup and login using facebook I used the authlogic_oauth2 gem (v.1.1.2) along with oauth2 (v. 0.0.10) and authlogic (2.1.6) in a Rails 2.3 application.
Everything worked well for more than 2 years but from a month or so, users are not able to login or signup with Facebook anymore.
I don't know what happened but I didn't changed anything so it seems that Facebook changed something on their end and authlogic_oauth2 doesn't seem to be able to work anymore.
Which could be the easiest way to fix the issue and bring back user login/signup with facebook?
Is there any better gem to help on the job?
Thanks in advance,
Augusto
I doubt that you may have done some changes in your present application unknowingly that caused the login and logout failures.
One possible cause of the problem might be the redirections from: http://yoursite.com to http://www.yoursite.com based on the changes that you made. Check the blog that mentions this problem.
The fix is to set: config.action_controller.session[:domain] = '.YOURDOMAIN.COM' inside of environment.rb (Make sure to prefix it with the .). That will make cookies work for both www.yourdomain.com and yourdomain.com (as well as any other subdomains).
I also recommend to check the login behavior in different environments: Development and Production and then check the output in the log files clearly.
This may help you to tweak the problem domain, as you mentioned that your code was working previously.
Update:
there is an update in facebook oauth and it is mentioned that all applications need to be updated to the latest version of oauth.
So that is the possible cause for your problem.
It outlines a plan requiring all sites and apps to migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate by October 1.
check the link below:
http://developers.facebook.com/blog/post/497/
Thanks!
I found the solution: Omniauth works perfectly fine with Rails 2.3 and there is even a demo app on how to integrate it with Authlogic.
A popular one would be Devise which plays well with Omniauth. I am not sure of the compatibilities with rails 2 though, maybe time to upgrade...
Any reason you can not use Koala? https://github.com/arsduo/koala
I'm using devise for user auth, but I have nice mockups for the signup, login, etc. pages.
I've already done the rails generate devise:views User command and have all of the views in the views folder, however, when I replaced the registration/new.html.erb with my own new.html.erb, nothing changes nor looks different. It's as if I had done anything.
Anyone know what I'm doing wrong or at least how to successfully customize devise views
P.S. Is it important to note that I changed the route of devise/registration#new to /signup?
at a glance answer.
...instead of
rails generate devise:views User
use:
rails generate devise:views
If you've already done it, move the folders devise created from app/views/User to a new folder app/views/devise (or just rename the User folder to devise, if that's an option.)
Those folders are:
app/views/User/confirmations
app/views/User/mailer
app/views/User/passwords
app/views/User/registrations
app/views/User/sessions
app/views/User/shared
app/views/User/unlocks
No other changes are necessary.
though this is an old question, I thought I'd add to it in case anybody stumbles on it. I'm not sure if this is a new addition since the question was originally asked but if so the simpler (more modern) approach is this.
in the file config/initializers/devise.rb there is the following block of code:
# ==> Scopes configuration
# Turn scoped views on. Before rendering "sessions/new", it will first check for
# "users/sessions/new". It's turned off by default because it's slower if you
# are using only default views.
# config.scoped_views = false
by uncommenting config.scoped_views = false and changing it's value to true, devise will automatically check whether the custom view exists and if so, serve that up.
As the comment says, it may add some overhead to the application but in my experience so far, this is negligible.
Your route signup or devise/registrations#new will render the view
views/devise/registrations/new.html.erb. It sounds like you made
changes to views/user/registrations/new.html.erb, which would explain
why you dont see the changes made since its not being rendered.
You will either need to create a user/registrations_controller.rb that
extends from Devise::RegistrationsController and point your /signup
route to user/registrations#new, or you can just make your changes
directly to views/devise/registrations/new.html.erb
Same idea applies to your login (devise/sessions) pages.
Hope this helps.
For anyone still having a problem with this, the problem lies in the call to rails generate devise:views User. It should be rails generate devise:views for fetching current views from the Devise Rails Engine. This will generate proper views which will work with the default routes.
After generating your custom views e.g
rails generate devise:views User
Turn on scoped_views in config/initializer/devise.rb
view config.scoped_views = true
And you are done.
I had the same problem until I went back and read the devise documentation :)
After rails generate devise:views make sure you go into initializers/devise.rb and set config.scoped_views = true. This is explained in the devise documentation at https://github.com/plataformatec/devise as well as in the devise.rb comments.
After I did this, my own views in views/users started showing up instead of the ones in the gem.
Using rails g devise:views User allows you to customize when you have more than one role.
the proper way to do this is going into your devise.rb in config/initializer/ folder
and uncommenting and setting config.scoped_views = true.
now you can edit the view erb files without any problems
For future reference, you can just rename folder from devise => user and vice versa and rails will find a route.