I building a javascript frontend (ember) to a rails api, and I'm using devise for user authentication.
All works well, but the password reccovery is giving me a hard time. I looked at the views/devise/password/edit.html.erb in devise and the properties seem to be password, new_password and password_reset_token.
I'm catching the password reset token from the url that is emailed, and constructed the following ajax call from it:
$.ajax({
url: '/users/password.json',
type: 'PUT',
data: {password: this.get('password'), password_confirmation: this.get('passwordconfirmation'), reset_password_token: this.get('content.reset_token')}
});
I can see the call gets accepted, but I'm getting a devise error that I can't understand. I think it has something to do with the resource that is passed back from the standard view, but I thought I covered that by the /user part in the ajax call.
All that I can find on the web is about login and change password, nothing about this bit.
The error I'm getting is:
Started PUT "/users/password.json" for 127.0.0.1 at 2013-05-29 09:01:36 +0200
Processing by Devise::PasswordsController#update as JSON
Parameters: {"password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "reset_password_token"=>"[FILTERED]"}
Completed 500 Internal Server Error in 1ms
NoMethodError - undefined method `[]' for nil:NilClass:
(gem) devise-2.1.2/lib/devise/models/recoverable.rb:125:in `reset_password_by_token'
(gem) devise-2.1.2/app/controllers/devise/passwords_controller.rb:30:in `update'
Thanks for your time.
Solution was to wrap the properties in the resource (user in my case):
$.ajax({
url: '/users/password.json',
type: 'PUT',
data: {'user[password]': this.get('password'), 'user[password_confirmation]': this.get('passwordconfirmation'), 'user[reset_password_token]': this.get('content.reset_token')}
});
my way:
$.ajax({url: '/users/password', type: 'PUT', data: { password: $password, password_confirmation: $password_confirmation, current_password: $current_password }});
You can try it if you didn't solve it......
Related
I have a Ruby On Rails application. Now, I started getting ActionController::InvalidAuthenticityToken error while updating password in admin_controller.
CSRF token is present in layout.
Earlier it was working, today when I get a warning from google to change password, I tried to update the password & got this error.
Below is the request:
Started PATCH "/admin/password/change" for 127.0.0.1 at 2020-07-25 22:05:38 +0530
Processing by Admin::PasswordsController#update as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"osXhNhqJZ9qXeJ4F2BXrJvOTflrG5G3MGPl7yuOa4Y8PoqIXKEVe17bqO5u9nGYG2Bn0Zun2U9mOR4/uxNajsg==", "current_password"=>"[FILTERED]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}
I am using devise-4.3 for authentication.
If tried to update the password 3-4 time, then it works but not each time.
I believe I should refresh the token, turbolinks might be creating an issue.
Every other post/patch request is working.
Ruby-2.4.0, Rails-5.1.4
Go to the controller that’s generating the error, and paste following line of code above all the defined functions:
skip_before_filter :verify_authenticity_token, :only => :create
OR
protect_from_forgery with: :null_session
save it then restart the server!
Let me know if this works for you!
Need to Hard reload the page/disable turbolinks, so I added the following in link_to
<%= link_to 'Change Password', change_admin_password_path, data: { turbolinks: false }) %>
Now the complete page reload is happening and I am able to update the password.
I have an issue with rails and faraday when I try to receive access token which should be included in a JSON response from the external Api.
What I want to do is user authentication based on external API.
I assume that the User already has valid credentials (in this case email as username and password).
Now when he connects to my Api, I send JSON request to the external Api to verify whether this user is valid and wait for access token.
Once the access token is sent in a response, user authentication is successful and I have access to the other endpoints
This is my controller
module Api
class AuthenticationController < ApplicationController
def create
client = XXX::AuthClient.new
response = client.authenticate(
email: params[:email],
password: params[:password]
)
api_client = XXX::Client.new(response[:access_token])
if response[:access_token]
api_user = api_client.get_user()
if api_user["id"]
db_user = User.create(xxx_id: api_user["id"], xxx_access_token: response[:access_token])
end
end
render json: { access_token: db_user.access_token }
end
end
end
And this is my AuthClient service
class AuthClient
def initialize
#http_client = Faraday.new('https://auth.xxx.com/')
end
def authenticate(email:, password:)
headers = {
'Content-Type': 'application/json'
}.to_json
body = {
grant_type: "password",
username: email,
password: password,
client_id: "particularclientid",
client_secret: "particularclientsecret"
}.to_json
api_response = http_client.post("/oauth2/token", body)
response = JSON.parse(api_response.body)
if response["access_token"]
{ access_token: access_token }
else
{ error: "autentication error" }
end
end
private
attr_reader :http_client
end
end
What I know is that curl in the following format is correct and I can see User's access token, refresh token etc.
curl -X POST -H "Content-Type: application/json" -d '{
"grant_type": "password",
"username": "test+user#example.com",
"password": "examplepassword",
"client_id": "particularclientid",
"client_secret": "particularclientsecret"
}' "https://auth.xxx.com/oauth2/token"
But when I run my curl
curl -X POST -d 'email=test+user#example.com&password=examplepassword' "http://localhost:3000/api/auth"
I see that my request is not correct. But I have no clue where is the problem because header and body are formatted to JSON (I have entered puts headers, puts body and puts response to verify that).
Started POST "/api/auth" for 127.0.0.1 at 2017-03-31 16:42:26 +0200
Processing by Api::AuthenticationController#create as */*
Parameters: {"email"=>"test user#example.com", "password"=>"[FILTERED]"}
{"Content-Type":"application/json"}
{"grant_type":"password","username":"test user#example.com","password":"examplepassword","client_id":"particularclientid","client_secret":"particularclientsecret"}
{"error"=>"invalid_request", "error_description"=>"The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed."}
Completed 500 Internal Server Error in 610ms (ActiveRecord: 0.0ms)
NoMethodError (undefined method `access_token' for nil:NilClass):
app/controllers/api/authentication_controller.rb:21:in `create'
Is my request incorrect or the problem exists somewhere else?
I am not experienced developer. Just trying to learn enough to start as a Junior RoR. I tried to find a solution on stack and on different sites but I am stucked. Even faraday docs does not help me much
When URIs are escaped, a + is used as a replacement for whitespace. As such, when your controller un-escapes the URI, the + is changed back into a space. If you want to send a space, use %2B instead.
For your first problem, the error message indicates that db_user is nil when you try to do db_user.access_token. So, either response[:access_token] is nil, api_user["id"] is nil, or User.create failed.
You'll need to put in some debugging to find out where your problem is.
This is the request I send to the rails controller:
function login(){
$.ajax({
type: 'GET',
url: '/api/myapi/show',
username: 'username',
password: 'password',
contentType: "application/json; charset=utf-8",
success: function(data){
console.log(data);
},
error: function(xhr, ajaxOptions, thrownError) {
console.log(arguments);
}
});
}
login function is used as follows:
<body onload='login();'>
This is the controller:
class Api::MyApi::BaseController < ApplicationController
before_filter :authenticate
attr_reader :user
def authenticate
authenticate_or_request_with_http_basic do |username, password|
#authenticate method checks if user with username and password exists in database
#user = User.authenticate(username, password)
end
end
end
When I send the request, this is what's printed in the terminal:
Started GET "/api/myapi/show" for 127.0.0.1 at 2015-12-15 09:42:22 +0100
Processing by Api::MyApi#show as JSON
Parameters: {"id"=>"show", "test"=>{}}
Filter chain halted as :authenticate rendered or redirected
Completed 401 Unauthorized in 0ms (ActiveRecord: 0.0ms)
Started GET "/api/myapi/show" for 127.0.0.1 at 2015-12-15 09:42:22 +0100
Processing by Api::MyApi#show as JSON
Parameters: {"id"=>"show", "test"=>{}}
User Load (0.1ms) SELECT `users`.* FROM `users` WHERE `users`.`authorized` = 1 AND `users`.`verification_approved` = 1 AND `users`.`login` = 'user_login' LIMIT 1
Location Load (0.1ms) SELECT `locations`.* FROM `locations` WHERE `locations`.`id` = 9999 LIMIT 1
Rendered api/myapi/show.json.rabl (0.5ms)
Completed 200 OK in 8ms (Views: 2.6ms | ActiveRecord: 0.7ms)
As you can see, it tries to authenticate twice and fails the first time. It doesn't even get inside "authenticate_or_request_with_http_basic" because if I write a print statement inside the "authenticate_or_request_with_http_basic", it doesn't get printed the first time(when authentication fails), but does get printed the second time.
Things I tried:
1) When Removing the before_filter completely and just authenticating in the show method, the issue doesn't occur anymore.
2) When keeping/using the before_filter but replacing the authenticate_or_request_with_http_basic with 'true' like this:
def authenticate
true
end
the issue doesn't occur either.
3) The issue doesn't occur when I send a request with python:
import requests
r = requests.get('URL_TO__RoR_Controller', auth=('username', 'password'))
print r.text
UPDATE:
This might be useful info: The request is sent every 10 seconds, and the credentials are sent with every request. Perhaps this has something to do with the issue.
You are sending username and password as params
AFAIK Basic auth works by setting the authorization headers
Use jQuery's beforeSend callback to add an HTTP header with the authentication information: http://api.jquery.com/jQuery.ajax/
beforeSend: function (xhr) {
xhr.setRequestHeader ("Authorization", "Basic " + btoa(username + ":" + password));
},
The btoa() method encodes a string in base-64.
In your controller you can check the headers with
request.env["HTTP_AUTHORIZATION"]
Let me know if this works for you.
Long time lurker, first time poster here.
There are many good guides and resources about JWTs and how and where to store them. But I'm running into an impasse when it comes to securely storing and sending a JWT between a ReactJS/Flux app running on a Node server and a completely separate Rails API.
It seems most guides tell you to just store the JWT in local storage and pluck it out for every AJAX request you make and pass it along in a header. https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/ warns against this, however, since local storage is not secure and a malicious person could access that token. It recommends storing it in the cookie instead and just letting the web browser pass it along with each request.
That sounds fine to me since from what I understand cookies get conveniently sent along with every request anyway. It means I can just make AJAX requests from my ReactJS app to my Rails API and have the API pluck it out, check it, and do it's thing.*
The problem I'm running into is my Node application doesn't set a cookie from the response it gets back from the Rails API even though the Rails API (running on localhost:3000) returns a Set-Cookie header and sends it back to the ReactJS/Node app (running on localhost:8080).
Here's my login controller action on my Rails API side:
class V1::SessionsController < ApplicationController
def create
user = User.where(email: params[:user][:email]).first!
if user && user.authenticate(params[:user][:password])
token = issue_new_token_for(user)
# I've tried this too.
# cookies[:access_token] = {
# :value => token,
# :expires => 3.days.from_now,
# :domain => 'https://localhost:8080'
# }
response.headers['Set-Cookie'] = "access_token=#{token}"
render json: { user: { id: user.id, email: user.email }, token: token }, status: 200
else
render json: { errors: 'username or password did not match' }, status: 422
end
end
end
The gist of it is it takes an email and password, looks the user up, and generates JWT if the info checks out.
Here's the AJAX request that is calling it from my Node app:
$.ajax({
url: 'http://localhost:3000/v1/login',
method: 'post',
dataType: 'json',
data: {
user: {
email: data.email,
password: data.password
},
callback: '' //required to get around ajax CORS
},
success: function(response){
console.log(response);
},
error: function(response) {
console.log(response);
}
})
Inspecting the response from the Rails API shows it has a Set-Cookie header with a value of access_token=jwt.token.here
Screenshot:
Chrome Dev Tools Inspector Screenshot
However, localhost:8080 does not show any cookies set and subsequent AJAX calls from my Node/React app do not have any cookies being sent along with them.
My question is, what piece(s) am I misunderstanding. What would I have to do to make storing JWTs in cookies work in this scenario?
A follow-up question: assuming storing the JWT in a cookie is not an option, what potential security risks could there be with storing the JWT in local storage (assuming I don't put any sensitive info in the JWT and they all expire in some arbitrary amount of time)?
*this may be a fundamental misunderstanding I have. Please set me straight if I have this wrong.
Side-notes that may be of interest:
My Rails API has CORS setup to only allow traffic from localhost:8080
in development.
In production, the Node/React app will probably be
running on a main domain (example.com) and the Rails API will be
running on a sub domain (api.example.com), but I haven't gotten that
far yet.
There's nothing sensitive in my JWT, so local storage is an
option, but I want to know why my setup doesn't work with cookies.
Update elithrar submitted an answer that worked:
I needed to modify my AJAX request with xhrFields and crossDomain as well as tell jQuery to support cors:
$.support.cors = true;
$.ajax({
url: 'http://localhost:3000/v1/login',
method: 'post',
dataType: 'json',
xhrFields: {
withCredentials: true
},
crossDomain: true,
data: {
user: {
email: data.email,
password: data.password
}
},
success: function(response){
console.log(response);
},
error: function(response) {
console.log(response);
}
})
And I added credentials: true and expose: true to my Rack Cors configuration on my Rails API (the * is only for my development environment):
config.middleware.insert_before 0, 'Rack::Cors' do
allow do
origins '*'
resource '*', :headers => :any, :methods => [:get, :post, :put, :path, :options], credentials: true, expose: true
end
end
Hi I have a ember app with
frontend with ember-cli-simple-auth-torii & ember-cli-simple-auth-devise
backend with devise and omniauth-facebook
THe torii gives you an authorizationCode on login in with facebook and what we do with this authorization code is upto us.
Since it is good practice to authenticate user against server side.
I want to use this authorizationCode with omni auth.
My AuthenticationController looks like this
class AuthenticationsController < Devise::OmniauthCallbacksController
def facebook
omniauth = request.env["omniauth.auth"]
authentication = Authentication.find_by_provider_and_uid(omniauth['provider'], omniauth['uid'])
...
sign_in(:user,user)
end
end
My SessionsController
class SessionsController < Devise::SessionsController
def create
respond_to do |format|
format.html { super }
format.json do
binding.pry
self.resource = warden.authenticate!(auth_options)
sign_in(resource_name, resource)
data = {
user_token: self.resource.authentication_token,
user_email: self.resource.email
}
render json: data, status: 201
end
end
end
end
I am not sure if my approach is right but I guess calling the users/auth/facebook/callback
from my client should trigger authentication process at server side and I can authorize user later for crud operations in my app.
authenticateWithFacebook: function(provider) {
var self = this
this.get('session').authenticate('simple-auth-authenticator:torii', "facebook-oauth2" ).then(function() {
var authorizationCode= self.get('session.authorizationCode');
console.log(authorizationCode);
Ember.$.ajax({
type: 'POST',
url: 'http://localhost:3000/users/auth/facebook/callback',
dataType: 'json',
data: {
code: authorizationCode,
},
success: function(data, textStatus, jqXHR) {
// Handle success case
},
error: function(jqXHR, textStatus, errorThrown) {
// Handle error case
}
});
});
},
My Server logs says I am able to initiate omniauth facebook login callback phase
but then it gives error Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request
Started POST "/users/auth/facebook/callback" for 127.0.0.1 at 2014-11-16 11:03:44 +0530
I, [2014-11-16T11:03:44.926842 #5160] INFO -- omniauth: (facebook) Callback phase initiated.
E, [2014-11-16T11:03:46.185161 #5160] ERROR -- omniauth: (facebook) Authentication failure! invalid_credentials: OAuth2::Error, :
{"error":{"message":"Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request","type":"OAuthException","code":100}}
Processing by AuthenticationsController#failure as HTML
Parameters: {"code"=>"AQBaag8FhEzyd8qCMh14HbAl-iBXrpK1YSrP9vz72kzRE86S-cf0Vsf1sSfpR1-Fajr1QfUbAoyYqj3ivcXayGk5KcmT27b4avy1NAcLzM2FcW1neGS9RA6CoVhYXpj2rbjYY7Dm-1Qw6Me0RjiidwJxwF4SVUVX4S6Y5UatRMW6FW2IyKxJJy8e0-VYlmFBpv3VKjq3tYE_pdM6lKLTEBAyApvIm2UfTZXLqeWWIIIf3romLB-q48BXvv2koM5fSkrvB2HyPOJq9Y_RLeWtw4nARn8aluJC-KhyYfUcprf_KzM30ZBYNxu5S6IYkgcdq_kwEsHinoddDqe-"}
Redirected to http://localhost:3000/users/sign_in
Completed 302 Found in 62ms (ActiveRecord: 0.0ms)
Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request
I am calling Facebook server from my client side port: 4200
and my ajax call uses url http: // localhost :3000/users/auth/facebook/callback port 3000
When in my ajax call from client side I use /users/auth/facebook/callback
I get error : Invalid redirect i.e type: 'POST',
url: '/users/auth/facebook/callback',
dataType: 'json',
Started POST "/users/auth/facebook/callback" for 127.0.0.1 at 2014-11-16 11:27:40 +0530
I, [2014-11-16T11:27:40.150441 #5160] INFO -- omniauth: (facebook) Callback phase initiated.
E, [2014-11-16T11:27:41.336997 #5160] ERROR -- omniauth: (facebook) Authentication failure! invalid_credentials: OAuth2::Error, :
{"error":{"message":"Invalid redirect_uri: \u0926\u093f\u0932\u0947\u0932\u0940 URL \u0905\u0928\u0941\u092a\u094d\u0930\u092f\u094b\u0917 \u0915\u0949\u0928\u094d\u092b\u093f\u0917\u0930\u0947\u0936\u0928\u0926\u094d\u0935\u093e\u0930\u0947 \u0905\u0928\u0941\u092e\u0924 \u0928\u093e\u0939\u0940.","type":"OAuthException","code":191}}
Processing by AuthenticationsController#failure as JSON
Parameters: {"code"=>"AQD38nHY4xvZnGdaFNJrjcIiBaSMPa3ZLsr3jpV8aPRoFHPGOTITGMtPZ9sA7pts41JnObhCsK3fLTI64Z-7YJi2PQGL7_O1i5m8GF57dGBYegxnSOZJAYxhiuxnIwxp4uhw4OBz61hthtOsF1BNw0bK3LNQJbJPXK0LO0HxasZ0d06swFcp4t8mminRhv6Qsx7ZQVCrOs7oonYfyNxGQiVUB7UM6u7JcPVYaySfJQR1QkMKnLvQ058kbKEUaIvvUyrLE73Gjs_i4mgb4SBAZMbR3c1qVlPgZ-75cIsyqmttmqhO-y4NgEAOPh"}
Redirected to http : // 127.0.0.1 :3000/users/sign_in
Completed 302 Found in 74ms (ActiveRecord: 0.0ms)
I dont know if my approach is right.
I want to have devise + torii authentication both
//This worked for me waiting for more elegant way.
authenticateWithFacebook: function(provider)
{
var self = this;
this.get('session').authenticate('simple-auth-authenticator:torii', "facebook-connect" ).then(function()
{
var access_token= self.get('session.accessToken');
Ember.$.ajax({
type: 'POST',
url: 'http://localhost:3000/users/auth/facebook_access_token/callback',
dataType: 'json',
data: {
access_token : access_token,
},
success: function(data, textStatus, jqXHR) {
// Handle success case
},
error: function(jqXHR, textStatus, errorThrown) {
// Handle error case
}
});
self.transitionTo('dashboard');
});
},