I got a strange error in application. It happens when I try to sign in with facebook, and than on facebook deny app the privileges that it asks for.
Here's stack trace:
Started GET "/users/auth/facebook/callback?error=access_denied&error_code=200&error_description=Permissions+error&error_reason=user_denied&state=426366bb3ac72ca4ad2b8b3fea5d5c7f628d6463b5df64a6" for 95.51.182.141 at 2013-09-05 20:55:24 +0000
(facebook) Callback phase initiated.
(facebook) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, OmniAuth::Strategies::OAuth2::CallbackError
Processing by Devise::OmniauthCallbacksController#failure as HTML
Parameters: {"error"=>"access_denied", "error_code"=>"200", "error_description"=>"Permissions error", "error_reason"=>"user_denied", "state"=>"426366bb3ac72ca4ad2b8b3fea5d5c7f628d6463b5df64a6"}
Completed 500 Internal Server Error in 2ms
NoMethodError (undefined method `to_sym' for nil:NilClass):
vendor/bundle/ruby/1.9.1/gems/mobile-fu-1.1.1/lib/mobile-fu.rb:165:in `mobile_exempt?'
vendor/bundle/ruby/1.9.1/gems/mobile-fu-1.1.1/lib/mobile-fu.rb:114:in `set_mobile_format'
vendor/bundle/ruby/1.9.1/gems/mobile-fu-1.1.1/lib/mobile-fu.rb:89:in `set_request_format'
(...)
What's funny is that when I looked into mobile-fu code I saw that what's nil (and apparently shouldn't be) is params[:action].
I digged bit deeper and it seams that devise works funny that way, that sometimes params[:action] isn't set. Anyways it's an issue on divise <-> mobile-fu line, or that's what it seams.
Here's an issue on github (which is now closed):
https://github.com/benlangfeld/mobile-fu/issues/22#issuecomment-26775053
The fix isn't what I would wish for, but perhaps there is a reason why params[:action] (and params[:controller]) isn't set
Related
I've looked through various similar issues and responses but to no avail. Sorry if this is obvious but OAuth is not my area of expertise.
I'm running Rails 5.2 with Ruby 2.74 and Devise. I have SSO set up with Facebook and it works fine. I'm trying to get it working with ClassLink, but I'm stuck. When clicking on our ClassLink dashboard icon (ClassLink website), it opens a new browser window to our site, as it should, but fails to log in as that user. A user with the same email is set up on both ends. The server error is
15:14:51 web.1 | D, [2022-09-01T15:14:51.715485 #1139413] DEBUG -- omniauth: (classlink) Callback phase initiated.
15:14:51 web.1 | E, [2022-09-01T15:14:51.720435 #1139413] ERROR -- omniauth: (classlink) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
The Omniauth-Classlink Gem calls for a devise.rb entry of
config.omniauth :class_link,
'your-classlink-access-key',
'your-classlink-secret',
strategy_class: 'OmniAuth::Strategies::ClassLink'
but with that last parameter (strategy_class), the server won't start and exits with an error:
NoMethodError: undefined method `new' for "OmniAuth::Strategies::ClassLink":String
so I'm leaving that off since it wasn't required for my working Facebook SSO.
On the failed login I'm getting the following log entry:
Processing by Users::OmniauthCallbacksController#failure as HTML
Parameters: {"code"=>"c166206446884317a72fa1c03772a2b622c9135c526e7a", "response_type"=>"code"}
Redirected to https://dtest.pagekite.me/?locale=en
Filter chain halted as :authorize rendered or redirected
Completed 302 Found in 8ms (ActiveRecord: 0.0ms)
The domain registered on ClassLink matches our server and the callback url is correct. The permissions, routes, callback function, etc. all look OK to me (again, pretty much identical to Facebook). Any suggestions on where I might look next?
Thanks.
It sounds like you have a few different problems going on here.
15:14:51 web.1 | D, [2022-09-01T15:14:51.715485 #1139413] DEBUG -- omniauth: (classlink) Callback phase initiated. 15:14:51 web.1 | E, [2022-09-01T15:14:51.720435 #1139413] ERROR -- omniauth: (classlink) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
In the request phase, you receive a state parameter with a random value. The omniauth-oauth2 strategy (from which the omniauth-classlink strategy is subclassed) stores this value in the session. In the callback phase, you again receive a state parameter and it must match the one received in the request phase. This error almost always means there is something wrong with your session
NoMethodError: undefined method `new' for "OmniAuth::Strategies::ClassLink":String
The value of the strategy_class option should be the class name constant. Removing the quotes should fix it.
Processing by Users::OmniauthCallbacksController#failure as HTML Parameters: {"code"=>"c166206446884317a72fa1c03772a2b622c9135c526e7a", "response_type"=>"code"} Redirected to https://dtest.pagekite.me/?locale=en Filter chain halted as :authorize rendered or redirected Completed 302 Found in 8ms (ActiveRecord: 0.0ms)
This is Devise trying to authorize the callback request when it should not be. Is your Users::OmniauthCallbacksController calling authenticate_user! in a before action or inheriting that behavior from a parent class?
I have a Ruby on Rails 5.2 app runnng on Ruby 2.6.6 and on the following route: /api/popups it gives me the 500 internal server error.
In the production log I see the following messages:
Started GET "/api/popups" for IP at 2020-12-30 11:12:30 +0000
INFO -- : [e7a305ff-9d4d-4c83-9572-9ea0708e8f69] Processing by controller2#index as HTML
INFO -- : [e7a305ff-9d4d-4c83-9572-9ea0708e8f69] Completed 500 Internal Server Error in 3ms (ActiveRecord: 0.0ms)
FATAL -- : [e7a305ff-9d4d-4c83-9572-9ea0708e8f69]
FATAL -- : [e7a305ff-9d4d-4c83-9572-9ea0708e8f69] NoMethodError (undefined method `host' for nil:NilClass):
FATAL -- : [e7a305ff-9d4d-4c83-9572-9ea0708e8f69]
FATAL -- : [e7a305ff-9d4d-4c83-9572-9ea0708e8f69] app/controllers/concerns/controller1.rb:14:in `popups_for_domain'
[e7a305ff-9d4d-4c83-9572-9ea0708e8f69] app/controllers/controller2.rb:5:in `index'
The controller2.rb index (line 5) looks like:
def index
popups = popups_for_domain.includes(:popup_template, :color_schema, :target_sets)
end
The controller1.rb line 14 contains:
def popups_for_domain
return #popups_for_domain if #popups_for_domain
referer_domain = Addressable::URI.parse(request.referer).host.gsub(/^w{3}\./i, '')
#popups_for_domain = Popup.where(domain: referer_domain)
end
The error points to the host function from this line: referer_domain = Addressable::URI.parse(request.referer).host.gsub(/^w{3}\./i, '')
What is wrong there and how can I fix it? Thanks.
Addressabel::URI.parse returns nil when the URL parsed to it was nil or false. That means – at least sometimes – you do not have a request.referer and you need to handle those cases too.
Something like this might work for you:
def popups_for_domain
return #popups_for_domain if #popups_for_domain
return unless request.referer
referer_domain = Addressable::URI.parse(request.referer).host.gsub(/^w{3}\./i, '')
#popups_for_domain = Popup.where(domain: referer_domain)
end
According to: https://stackoverflow.com/a/6880668/1564840
request.referrer will/may be empty when the enduser:
- entered the site URL in browser address bar itself.
- visited the site by a browser-maintained bookmark.
- visited the site as first page in the window/tab.
- clicked a link in an external application.
- switched from a https URL to a http URL.
- switched from a https URL to a different https URL.
- has security software installed (antivirus/firewall/etc) which strips the referrer from all requests.
- is behind a proxy which strips the referrer from all requests.
- visited the site programmatically (like, curl) without setting the referrer header (searchbots!).
In my case, I called the API url directly in my browser and that's why the referrer was missing.
ERROR MSG:
Error: Request failed with status code 500
Stack trace:
[42]/</t.exports#http://crdwk.herokuapp.com/packs/bundle-ecc8ea14dbe153e50352.js:1:89311
[42]/</t.exports#http://crdwk.herokuapp.com/packs/bundle-ecc8ea14dbe153e50352.js:1:251725
[42]/</t.exports/</d[h]#http://crdwk.herokuapp.com/packs/bundle-ecc8ea14dbe153e50352.js:1:88311
Ruby version: 2.3
Rails version: 5.1
I have a server-side rendered, client-side hydrated React/Rails app (using gem 'react-rails').
I added the gem 'rack-cors' plus setup in application.rb in order for my requests to work (I'm using axios). However, signing out (a DELETE request) fails and hitting refresh erases the current user. Neither issue occurs locally/in development.
Here's the app: http://crdwk.herokuapp.com
And the repo: https://github.com/English3000/crdwk
I took a look at my Heroku logs:
Completed 500 Internal Server Error in 8ms (ActiveRecord: 0.0ms)
NoMethodError (undefined method `reset_token' for nil:NilClass):
app/controllers/application_controller.rb:29:in `sign_out'
app/controllers/api/sessions_controller.rb:3:in `destroy'
Given that hitting refresh, the current user does not persist, the issue is the current user somehow isn't getting set.
However, this is not an issue in development. Why would that be?
Looking through my project, the only difference I can find on the backend as compared with a client-side rendered one (which I literally copy & pasted the code for this project from) is this line in application_controller.rb:
skip_before_action :verify_authenticity_token
However, if I comment out this line, when I try to sign up, I get the server error
Started POST "/api/users" for 127.0.0.1 at 2018-03-05 12:16:57 -0800
Processing by Api::UsersController#create as JSON
Parameters: {"user"=>{"email"=>"", "password"=>"[FILTERED]"}}
Can't verify CSRF token authenticity.
Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms)
ActionController::InvalidAuthenticityToken - ActionController::InvalidAuthenticityToken:
This is a result of using gem 'react-rails'. (I don't get this error for my other client-side rendered project.)
There isn't an "authenticity_token" parameter.
I find these two resources: Rails security and Learnetto's how-to.
So I add these two lines of code from the second artilce to my api.js:
const csrfToken = document.querySelector("meta[name=csrf-token]").content;
axios.defaults.headers.common["X-CSRF-Token"] = csrfToken;
Now my web app works with the extra application_controller.rb line commented out. EXCEPT, I can't use the DOM to grab the csrf token for my React Native version, so I now have the same issue for mobile...
I have an application running on NGINX/Passenger in production environment. Most of the pages render fine, but some do not. The server returns the static 404 error page, but when checking the production log, the following is appended:
Started GET "/upload" for 92.111.174.132 at 2015-11-26 14:07:50 +0000
Processing by Upload::StaticController#index as HTML
Rendered upload/static/index.html.erb within layouts/upload (1.1ms)
Completed 500 Internal Server Error in 8.0ms
Note that there are no error messages or backtraces; this is really all there is. I've checked NGINX's error log and it does not report an error. I really don't know where to go from here.
I'm using Devise + Omniauth (actually omniauth-foursquare, the foursquare OAuth2 strategy) in my Rails app.
Upon signing in, I keep being redirected to my app (/users/sign_in#=) with the following error:
Could not authenticate you from Foursquare because "Csrf detected"
Any insights?
This is what I see last in the console:
I, [2014-10-19T19:43:38.947771 #2] INFO -- omniauth: (foursquare) Request phase initiated.
Started GET "/users/auth/foursquare" for 142.255.113... at 2014-10-19 19:43:38 +0000
Parameters: {"code"=>"2MZGM413...", "state"=>"1ba1cec3beb4..."}
Processing by Devise::SessionsController#new as HTML
Started GET "/users/auth/foursquare/callback?code=2MZGM413...&state=1ba1cec3beb4..." for 142.255.113... at 2014-10
I, [2014-10-19T19:43:39.378477 #2] INFO -- omniauth: (foursquare) Callback phase initiated.
E, [2014-10-19T19:43:39.378660 #2] ERROR -- omniauth: (foursquare) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected
As far as I can tell, my troubles started when I received a "cookie overflow" erorr and switched to session_storing: (session_store.rb)
Rails.application.config.session_store :active_record_store, key: '_APPNAME_session', domain: 'DOMAIN.com'
Thanks!
If you inspect the source for your app, you'll see that the generated HTML includes the CSRF meta tags in the HEAD element (i.e. csrf-token and csrf-param). Most likely, one of your layouts/views is calling the csrf_meta_tags method. Try removing it to see if it works, and then consider creating a separate layout without it for forms that won't need it. Other people with more experience on frontend rails could chime in here with best practices.