CSRF token authencity for sub controller - ruby-on-rails

I am getting CSRF warning (resetting my session) in my rails apps whenever I post to my api_controller.rb.
My app is run on iframe in phonegap for windows phone 8 and in my application_controller, I have a p3p header to solve just this problem. But it doesn't seem to work in this case. Its like the p3p is not there...? Has anyone encountered this?
class ApplicationController < ActionController::Base
protect_from_forgery
before_filter :header_fix
protected
def header_fix
headers['P3P'] = 'CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"'
end
end
class Api::ApiController < ApplicationController
before_filter :login_required
skip_before_filter :detect_device
skip_before_filter :detect_browser
skip_before_filter :record_log
skip_before_filter :assign_packages
skip_before_filter :assign_daily_bonus
end
[2646 - 2013/04/05 13:04:23] (INFO) Started POST "/api/chests" for 60.50.19.249 at 2013-04-05 13:04:23 +0800
[2646 - 2013/04/05 13:04:23] (INFO) Processing by Api::ChestsController#create as */*
[2646 - 2013/04/05 13:04:23] (INFO) Parameters: {"force_new"=>"true"}
[2646 - 2013/04/05 13:04:23] (WARN) WARNING: Can't verify CSRF token authenticity
[2646 - 2013/04/05 13:04:23] (INFO) User agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920)
[2646 - 2013/04/05 13:04:23] (DEBUG) User Load (4.5ms) SELECT `users`.* FROM `users` WHERE `users`.`id` IS NULL LIMIT 1
[2646 - 2013/04/05 13:04:23] (DEBUG) KeyPackage Load (1.2ms) SELECT `packages`.* FROM `packages` WHERE `packages`.`type` IN ('KeyPackage') ORDER BY cost
[2646 - 2013/04/05 13:04:23] (DEBUG) CACHE (0.0ms) SELECT `users`.* FROM `users` WHERE `users`.`id` IS NULL LIMIT 1
[2646 - 2013/04/05 13:04:23] (DEBUG) CACHE (0.0ms) SELECT `users`.* FROM `users` WHERE `users`.`id` IS NULL LIMIT 1
[2646 - 2013/04/05 13:04:23] (WARN) Lost session [60.50.19.249] (/api/chests) - Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920)


This gem works for Ruby on Rails (https://github.com/grosser/ie_iframe_cookies). Solves the problem.
Even though my p3p header is valid and my user can login, I am not sure why IE10 does this.

Related

after upgrading to rails 5, I'm getting an invalid CSRF token error when trying to log in

I'm using devise for authentication, but after I upgraded to rails 5 from rails 4 I cannot log in even though CSRF token is inside the request.
here is the server log I'm seeing:
Started POST "/users/sign_in" for 127.0.0.1 at 2019-04-02 15:27:09 +1100
Processing by Users::SessionsController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"q3Ui2rNEIIuRcpNxpbhbIxYLWuYcfd4FxBzIHKgBvdFLUZ96gTIJSQ37kfziG82Vg77NHfdvEkIrThfG6ySpiQ==", "user"=>{"email"=>"xxx", "password"=>"[FILTERED]", "remember_me"=>"0"}}
User Load (0.5ms) SELECT `users`.* FROM `users` WHERE `users`.`email` = 'xxx' ORDER BY `users`.`id` ASC LIMIT 1
(0.2ms) BEGIN
SQL (0.3ms) UPDATE `users` SET `current_sign_in_at` = '2019-04-02 03:46:49', `sign_in_count` = 16, `updated_at` = '2019-04-02 03:46:49' WHERE `users`.`id` = 2
(2.2ms) COMMIT
Can't verify CSRF token authenticity.
(0.2ms) BEGIN
(0.1ms) COMMIT
User Load (0.3ms) SELECT `users`.* FROM `users` WHERE `users`.`email` = 'xxx' ORDER BY `users`.`id` ASC LIMIT 1
(0.2ms) BEGIN
SQL (0.4ms) UPDATE `users` SET `last_sign_in_at` = '2019-04-02 03:46:49', `sign_in_count` = 17 WHERE `users`.`id` = 2
(0.3ms) COMMIT
Obviously, when I skip the authenticity token verification the problem is going away.

After digging around a bit I found this this thread and specifically this:
For Rails 5, note that protect_from_forgery is no longer prepended to the before_action chain, so if you have set authenticate_user before protect_from_forgery, your request will result in "Can't verify CSRF token authenticity." To resolve this, either change the order in which you call them, or use protect_from_forgery prepend: true.
so the problem solved :)
(thanks Mark Merritt who pointed out to the same issue as well)

Devise showing user not signed in

I'm using devise_token_auth and angular2-token. But Devise is not registering that a user is signed in.
I have a create definition that returns the current_user and the user_signed_in? status:
class MoviesController < ApplicationController
before_action :set_movie, only: [:show, :update, :destroy]
# POST /movies
def create
if Movie.exists?(title: movie_params[:title])
render json: { body: 'Movie already exists', status: 400 }
else
#user = current_user
#signed_in = user_signed_in?
render json: {
user: #user, status: #signed_in
}
end
end
def movie_params
# whitelist params
params.permit(:title, :created_by, :id)
end
end
When I run my application this returns user: null, status: false.
The applicationController:
class ApplicationController < ActionController::API
include DeviseTokenAuth::Concerns::SetUserByToken
end
The strange thing is that I do have a user signed in. This is what the Rails log shows when I reload the page:
Started GET "/auth/validate_token" for 127.0.0.1 at 2017-07-07 09:15:03 +0200
Started GET "/auth/validate_token" for 127.0.0.1 at 2017-07-07 09:15:03 +0200
Processing by DeviseTokenAuth::TokenValidationsController#validate_token as JSON
Processing by DeviseTokenAuth::TokenValidationsController#validate_token as JSON
Parameters: {"token_validation"=>{}}
Parameters: {"token_validation"=>{}}
User Load (0.0ms) SELECT `users`.* FROM `users` WHERE `users`.`uid` = 'peter#cleanpixel.nl' LIMIT 1
User Load (0.5ms) SELECT `users`.* FROM `users` WHERE `users`.`uid` = 'peter#cleanpixel.nl' LIMIT 1
(1.5ms) BEGIN
(0.0ms) BEGIN
User Load (1.0ms) SELECT `users`.* FROM `users` WHERE `users`.`id` = 2 LIMIT 1 FOR UPDATE
SQL (0.5ms) UPDATE `users` SET `tokens` = '{\"dj9nsHh0XTBTnxaBT3kyiw\":{\"token\":\"$2a$10$otdEoY.3ATpQtcMPvOIxkeJKjcn4hHG.OhOAa5hN/haKjoD8mdEHK\",\"expiry\":1500566765,\"last_token\":\"$2a$10$gWHnaLi.MQCrSpc3uqZI.uR6dsbSv3.OAbA/VmFQFOSwYy.ilzbSy\",\"updated_at\":\"2017-07-06T18:06:05.349+02:00\"},\"Zb9n6Xsuv8uDoz0UgREIvA\":{\"token\":\"$2a$10$WsH4tTHx3t7olJwdNNekG.zxCo2.5CRPYvTJQN1muKZnBeKD3z8Eq\",\"expiry\":1500569836,\"last_token\":\"$2a$10$cK1y.pzug.PpTi53/bxMG.A.h8idbngy1G4G07fke1YKCCBqmxBXK\",\"updated_at\":\"2017-07-06T18:57:16.971+02:00\"},\"cqBp_VyXAgnwQaboLddNqA\":{\"token\":\"$2a$10$aHpZo34C3BOgBCRuMZXA8u8Dm9eQbaZBncMfAUExcJnSzBgXoHWta\",\"expiry\":1500567653,\"last_token\":\"$2a$10$N9la9pzAkmJotIf/nVmx6uOmHVBhYjagMTKhCb/52hVFhlwhbotz2\",\"updated_at\":\"2017-07-06T18:20:55.382+02:00\"},\"-1YucaseQui9xTM8joV1bA\":{\"token\":\"$2a$10$ZTYVkIcPjl7VDi45RkkB3uvZLM8I5GYgNnm1Go602T4AUP40TWmIK\",\"expiry\":1500570282,\"last_token\":\"$2a$10$Blv8cg7Q0Nq2l9mYoWpDe./W4Bmqw6Tadvh0rb63PQTJ9O8BbWBD.\",\"updated_at\":\"2017-07-06T19:04:42.416+02:00\"},\"r37dOyCTPEPPF0E3n4MJAw\":{\"token\":\"$2a$10$gb8ERl211K2HcHe6X1SX1ex2yQ4L9JqJQF5dLM.faEUeIgW0v1Sma\",\"expiry\":1500573270,\"last_token\":\"$2a$10$ol47NlxNVlWTOc6LuOQHNuaFJOpxO/I8huGuB/1wwiFT3XjCNFKPW\",\"updated_at\":\"2017-07-06T19:54:30.343+02:00\"},\"7FWoXqZgN7WDmkOIgonMDA\":{\"token\":\"$2a$10$K4gLINjrtFvEbmGG9wM88OfMbJF3y4mw39U8Y/io9awRTBtLNhyTa\",\"expiry\":1500573600,\"last_token\":\"$2a$10$gucXe2txI3XT5bCfqP5QfegS.c.DAJLAzemgxm1YSbyGXutt01b02\",\"updated_at\":\"2017-07-06T20:00:01.178+02:00\"},\"pUk1lCvCOmCyxfFKv4Tmnw\":{\"token\":\"$2a$10$U7RL54MKDFPQCq/R7uhjDeafKtqpj9X1zCAk1kWmIjYkWUeaCpfcS\",\"expiry\":1500574025,\"last_token\":\"$2a$10$p0Unq1sHVowseikwok7HqOVw/wAry/K1RZHUrzL0.OMdVQ1T.cYPS\",\"updated_at\":\"2017-07-06T20:07:05.733+02:00\"},\"Zpq95Nuc5UOP6PEK4nDCjQ\":{\"token\":\"$2a$10$C5f/nxd35s/6HmewsWmMU.aB4GHn7Hh6NTJEWR3xxzAwA4iHKDZlC\",\"expiry\":1500575385,\"last_token\":\"$2a$10$yjQGp/F.dHBipka.DHheaeSHhMDyPVukLhxhiE4V79BsJrytIDfOi\",\"updated_at\":\"2017-07-06T20:29:45.673+02:00\"},\"2vGGRC7gOCFTBiYSkMCfXQ\":{\"token\":\"$2a$10$ykxrUsRX0yZOtLW03cbqyezhVQ4fqnLHBrVIgilIaxhp0d8hqCE0m\",\"expiry\":1500618218,\"last_token\":\"$2a$10$dEf3s9O.Upz4cG0xAwEOC.Axlw70Xm9fsy9f2UP5iqffGT1BPLEze\",\"updated_at\":\"2017-07-07T08:23:38.253+02:00\"},\"kkuI52Vq05TOCSVBgHGWHA\":{\"token\":\"$2a$10$XDPo.nKeRj.blboiVey8u.sh7vlubmRo5k/B86l5AvL3ZJw.0yjhG\",\"expiry\":1500621303,\"last_token\":\"$2a$10$RkvthXkouoosD2l3OVFNqetvlfG686Ltac1TAlO9to0SMOpSgpKue\",\"updated_at\":\"2017-07-07T09:15:03.317+02:00\"}}', `updated_at` = '2017-07-07 07:15:03' WHERE `users`.`id` = 2
User Load (67.6ms) SELECT `users`.* FROM `users` WHERE `users`.`id` = 2 LIMIT 1 FOR UPDATE
(3.5ms) COMMIT
Completed 200 OK in 137ms (Views: 0.2ms | ActiveRecord: 6.5ms)
SQL (0.5ms) UPDATE `users` SET `tokens` = '{\"dj9nsHh0XTBTnxaBT3kyiw\":{\"token\":\"$2a$10$otdEoY.3ATpQtcMPvOIxkeJKjcn4hHG.OhOAa5hN/haKjoD8mdEHK\",\"expiry\":1500566765,\"last_token\":\"$2a$10$gWHnaLi.MQCrSpc3uqZI.uR6dsbSv3.OAbA/VmFQFOSwYy.ilzbSy\",\"updated_at\":\"2017-07-06T18:06:05.349+02:00\"},\"Zb9n6Xsuv8uDoz0UgREIvA\":{\"token\":\"$2a$10$WsH4tTHx3t7olJwdNNekG.zxCo2.5CRPYvTJQN1muKZnBeKD3z8Eq\",\"expiry\":1500569836,\"last_token\":\"$2a$10$cK1y.pzug.PpTi53/bxMG.A.h8idbngy1G4G07fke1YKCCBqmxBXK\",\"updated_at\":\"2017-07-06T18:57:16.971+02:00\"},\"cqBp_VyXAgnwQaboLddNqA\":{\"token\":\"$2a$10$aHpZo34C3BOgBCRuMZXA8u8Dm9eQbaZBncMfAUExcJnSzBgXoHWta\",\"expiry\":1500567653,\"last_token\":\"$2a$10$N9la9pzAkmJotIf/nVmx6uOmHVBhYjagMTKhCb/52hVFhlwhbotz2\",\"updated_at\":\"2017-07-06T18:20:55.382+02:00\"},\"-1YucaseQui9xTM8joV1bA\":{\"token\":\"$2a$10$ZTYVkIcPjl7VDi45RkkB3uvZLM8I5GYgNnm1Go602T4AUP40TWmIK\",\"expiry\":1500570282,\"last_token\":\"$2a$10$Blv8cg7Q0Nq2l9mYoWpDe./W4Bmqw6Tadvh0rb63PQTJ9O8BbWBD.\",\"updated_at\":\"2017-07-06T19:04:42.416+02:00\"},\"r37dOyCTPEPPF0E3n4MJAw\":{\"token\":\"$2a$10$gb8ERl211K2HcHe6X1SX1ex2yQ4L9JqJQF5dLM.faEUeIgW0v1Sma\",\"expiry\":1500573270,\"last_token\":\"$2a$10$ol47NlxNVlWTOc6LuOQHNuaFJOpxO/I8huGuB/1wwiFT3XjCNFKPW\",\"updated_at\":\"2017-07-06T19:54:30.343+02:00\"},\"7FWoXqZgN7WDmkOIgonMDA\":{\"token\":\"$2a$10$K4gLINjrtFvEbmGG9wM88OfMbJF3y4mw39U8Y/io9awRTBtLNhyTa\",\"expiry\":1500573600,\"last_token\":\"$2a$10$gucXe2txI3XT5bCfqP5QfegS.c.DAJLAzemgxm1YSbyGXutt01b02\",\"updated_at\":\"2017-07-06T20:00:01.178+02:00\"},\"pUk1lCvCOmCyxfFKv4Tmnw\":{\"token\":\"$2a$10$U7RL54MKDFPQCq/R7uhjDeafKtqpj9X1zCAk1kWmIjYkWUeaCpfcS\",\"expiry\":1500574025,\"last_token\":\"$2a$10$p0Unq1sHVowseikwok7HqOVw/wAry/K1RZHUrzL0.OMdVQ1T.cYPS\",\"updated_at\":\"2017-07-06T20:07:05.733+02:00\"},\"Zpq95Nuc5UOP6PEK4nDCjQ\":{\"token\":\"$2a$10$C5f/nxd35s/6HmewsWmMU.aB4GHn7Hh6NTJEWR3xxzAwA4iHKDZlC\",\"expiry\":1500575385,\"last_token\":\"$2a$10$yjQGp/F.dHBipka.DHheaeSHhMDyPVukLhxhiE4V79BsJrytIDfOi\",\"updated_at\":\"2017-07-06T20:29:45.673+02:00\"},\"2vGGRC7gOCFTBiYSkMCfXQ\":{\"token\":\"$2a$10$ykxrUsRX0yZOtLW03cbqyezhVQ4fqnLHBrVIgilIaxhp0d8hqCE0m\",\"expiry\":1500618218,\"last_token\":\"$2a$10$dEf3s9O.Upz4cG0xAwEOC.Axlw70Xm9fsy9f2UP5iqffGT1BPLEze\",\"updated_at\":\"2017-07-07T08:23:38.253+02:00\"},\"kkuI52Vq05TOCSVBgHGWHA\":{\"token\":\"$2a$10$XDPo.nKeRj.blboiVey8u.sh7vlubmRo5k/B86l5AvL3ZJw.0yjhG\",\"expiry\":1500621303,\"last_token\":\"$2a$10$RkvthXkouoosD2l3OVFNqetvlfG686Ltac1TAlO9to0SMOpSgpKue\",\"updated_at\":\"2017-07-07T09:15:03.323+02:00\"}}' WHERE `users`.`id` = 2
(2.5ms) COMMIT
Completed 200 OK in 142ms (Views: 0.1ms | ActiveRecord: 71.1ms)
And this is what Rails logs when I log in my user:
Started OPTIONS "/auth/sign_in" for 127.0.0.1 at 2017-07-07 09:22:44 +0200
Started POST "/auth/sign_in" for 127.0.0.1 at 2017-07-07 09:22:44 +0200
Processing by DeviseTokenAuth::SessionsController#create as JSON
Parameters: {"email"=>"peter#cleanpixel.nl", "password"=>"[FILTERED]", "session"=>{"email"=>"peter#cleanpixel.nl", "password"=>"[FILTERED]"}}
Unpermitted parameter: :session
Unpermitted parameter: :session
User Load (0.5ms) SELECT `users`.* FROM `users` WHERE (BINARY email = 'peter#cleanpixel.nl' AND provider='email') ORDER BY `users`.`id` ASC LIMIT 1
Unpermitted parameter: :session
Unpermitted parameter: :session
(0.5ms) BEGIN
SQL (1.0ms) UPDATE `users` SET `tokens` = '{\"dj9nsHh0XTBTnxaBT3kyiw\":{\"token\":\"$2a$10$otdEoY.3ATpQtcMPvOIxkeJKjcn4hHG.OhOAa5hN/haKjoD8mdEHK\",\"expiry\":1500566765,\"last_token\":\"$2a$10$gWHnaLi.MQCrSpc3uqZI.uR6dsbSv3.OAbA/VmFQFOSwYy.ilzbSy\",\"updated_at\":\"2017-07-06T18:06:05.349+02:00\"},\"Zb9n6Xsuv8uDoz0UgREIvA\":{\"token\":\"$2a$10$WsH4tTHx3t7olJwdNNekG.zxCo2.5CRPYvTJQN1muKZnBeKD3z8Eq\",\"expiry\":1500569836,\"last_token\":\"$2a$10$cK1y.pzug.PpTi53/bxMG.A.h8idbngy1G4G07fke1YKCCBqmxBXK\",\"updated_at\":\"2017-07-06T18:57:16.971+02:00\"},\"cqBp_VyXAgnwQaboLddNqA\":{\"token\":\"$2a$10$aHpZo34C3BOgBCRuMZXA8u8Dm9eQbaZBncMfAUExcJnSzBgXoHWta\",\"expiry\":1500567653,\"last_token\":\"$2a$10$N9la9pzAkmJotIf/nVmx6uOmHVBhYjagMTKhCb/52hVFhlwhbotz2\",\"updated_at\":\"2017-07-06T18:20:55.382+02:00\"},\"-1YucaseQui9xTM8joV1bA\":{\"token\":\"$2a$10$ZTYVkIcPjl7VDi45RkkB3uvZLM8I5GYgNnm1Go602T4AUP40TWmIK\",\"expiry\":1500570282,\"last_token\":\"$2a$10$Blv8cg7Q0Nq2l9mYoWpDe./W4Bmqw6Tadvh0rb63PQTJ9O8BbWBD.\",\"updated_at\":\"2017-07-06T19:04:42.416+02:00\"},\"r37dOyCTPEPPF0E3n4MJAw\":{\"token\":\"$2a$10$gb8ERl211K2HcHe6X1SX1ex2yQ4L9JqJQF5dLM.faEUeIgW0v1Sma\",\"expiry\":1500573270,\"last_token\":\"$2a$10$ol47NlxNVlWTOc6LuOQHNuaFJOpxO/I8huGuB/1wwiFT3XjCNFKPW\",\"updated_at\":\"2017-07-06T19:54:30.343+02:00\"},\"7FWoXqZgN7WDmkOIgonMDA\":{\"token\":\"$2a$10$K4gLINjrtFvEbmGG9wM88OfMbJF3y4mw39U8Y/io9awRTBtLNhyTa\",\"expiry\":1500573600,\"last_token\":\"$2a$10$gucXe2txI3XT5bCfqP5QfegS.c.DAJLAzemgxm1YSbyGXutt01b02\",\"updated_at\":\"2017-07-06T20:00:01.178+02:00\"},\"pUk1lCvCOmCyxfFKv4Tmnw\":{\"token\":\"$2a$10$U7RL54MKDFPQCq/R7uhjDeafKtqpj9X1zCAk1kWmIjYkWUeaCpfcS\",\"expiry\":1500574025,\"last_token\":\"$2a$10$p0Unq1sHVowseikwok7HqOVw/wAry/K1RZHUrzL0.OMdVQ1T.cYPS\",\"updated_at\":\"2017-07-06T20:07:05.733+02:00\"},\"Zpq95Nuc5UOP6PEK4nDCjQ\":{\"token\":\"$2a$10$C5f/nxd35s/6HmewsWmMU.aB4GHn7Hh6NTJEWR3xxzAwA4iHKDZlC\",\"expiry\":1500575385,\"last_token\":\"$2a$10$yjQGp/F.dHBipka.DHheaeSHhMDyPVukLhxhiE4V79BsJrytIDfOi\",\"updated_at\":\"2017-07-06T20:29:45.673+02:00\"},\"2vGGRC7gOCFTBiYSkMCfXQ\":{\"token\":\"$2a$10$ykxrUsRX0yZOtLW03cbqyezhVQ4fqnLHBrVIgilIaxhp0d8hqCE0m\",\"expiry\":1500618218,\"last_token\":\"$2a$10$dEf3s9O.Upz4cG0xAwEOC.Axlw70Xm9fsy9f2UP5iqffGT1BPLEze\",\"updated_at\":\"2017-07-07T08:23:38.253+02:00\"},\"kkuI52Vq05TOCSVBgHGWHA\":{\"token\":\"$2a$10$XDPo.nKeRj.blboiVey8u.sh7vlubmRo5k/B86l5AvL3ZJw.0yjhG\",\"expiry\":1500621303,\"last_token\":\"$2a$10$RkvthXkouoosD2l3OVFNqetvlfG686Ltac1TAlO9to0SMOpSgpKue\",\"updated_at\":\"2017-07-07T09:15:03.323+02:00\"},\"DqpFWUYwTyHsq0z5V-H3sA\":{\"token\":\"$2a$10$.Ssm5ZSlVL/4Wr3FOUkOTOs/xP/V/vxGS01.zwe.5ictpoOD7xsHi\",\"expiry\":1500621764}}', `updated_at` = '2017-07-07 07:22:44' WHERE `users`.`id` = 2
(1.0ms) COMMIT
(0.0ms) BEGIN
SQL (0.5ms) UPDATE `users` SET `sign_in_count` = 23, `current_sign_in_at` = '2017-07-07 07:22:44', `last_sign_in_at` = '2017-07-07 07:00:58' WHERE `users`.`id` = 2
(2.0ms) COMMIT
(0.0ms) BEGIN
User Load (0.0ms) SELECT `users`.* FROM `users` WHERE `users`.`id` = 2 LIMIT 1 FOR UPDATE
SQL (0.5ms) UPDATE `users` SET `tokens` = '{\"Zb9n6Xsuv8uDoz0UgREIvA\":{\"token\":\"$2a$10$WsH4tTHx3t7olJwdNNekG.zxCo2.5CRPYvTJQN1muKZnBeKD3z8Eq\",\"expiry\":1500569836,\"last_token\":\"$2a$10$cK1y.pzug.PpTi53/bxMG.A.h8idbngy1G4G07fke1YKCCBqmxBXK\",\"updated_at\":\"2017-07-06T18:57:16.971+02:00\"},\"cqBp_VyXAgnwQaboLddNqA\":{\"token\":\"$2a$10$aHpZo34C3BOgBCRuMZXA8u8Dm9eQbaZBncMfAUExcJnSzBgXoHWta\",\"expiry\":1500567653,\"last_token\":\"$2a$10$N9la9pzAkmJotIf/nVmx6uOmHVBhYjagMTKhCb/52hVFhlwhbotz2\",\"updated_at\":\"2017-07-06T18:20:55.382+02:00\"},\"-1YucaseQui9xTM8joV1bA\":{\"token\":\"$2a$10$ZTYVkIcPjl7VDi45RkkB3uvZLM8I5GYgNnm1Go602T4AUP40TWmIK\",\"expiry\":1500570282,\"last_token\":\"$2a$10$Blv8cg7Q0Nq2l9mYoWpDe./W4Bmqw6Tadvh0rb63PQTJ9O8BbWBD.\",\"updated_at\":\"2017-07-06T19:04:42.416+02:00\"},\"r37dOyCTPEPPF0E3n4MJAw\":{\"token\":\"$2a$10$gb8ERl211K2HcHe6X1SX1ex2yQ4L9JqJQF5dLM.faEUeIgW0v1Sma\",\"expiry\":1500573270,\"last_token\":\"$2a$10$ol47NlxNVlWTOc6LuOQHNuaFJOpxO/I8huGuB/1wwiFT3XjCNFKPW\",\"updated_at\":\"2017-07-06T19:54:30.343+02:00\"},\"7FWoXqZgN7WDmkOIgonMDA\":{\"token\":\"$2a$10$K4gLINjrtFvEbmGG9wM88OfMbJF3y4mw39U8Y/io9awRTBtLNhyTa\",\"expiry\":1500573600,\"last_token\":\"$2a$10$gucXe2txI3XT5bCfqP5QfegS.c.DAJLAzemgxm1YSbyGXutt01b02\",\"updated_at\":\"2017-07-06T20:00:01.178+02:00\"},\"pUk1lCvCOmCyxfFKv4Tmnw\":{\"token\":\"$2a$10$U7RL54MKDFPQCq/R7uhjDeafKtqpj9X1zCAk1kWmIjYkWUeaCpfcS\",\"expiry\":1500574025,\"last_token\":\"$2a$10$p0Unq1sHVowseikwok7HqOVw/wAry/K1RZHUrzL0.OMdVQ1T.cYPS\",\"updated_at\":\"2017-07-06T20:07:05.733+02:00\"},\"Zpq95Nuc5UOP6PEK4nDCjQ\":{\"token\":\"$2a$10$C5f/nxd35s/6HmewsWmMU.aB4GHn7Hh6NTJEWR3xxzAwA4iHKDZlC\",\"expiry\":1500575385,\"last_token\":\"$2a$10$yjQGp/F.dHBipka.DHheaeSHhMDyPVukLhxhiE4V79BsJrytIDfOi\",\"updated_at\":\"2017-07-06T20:29:45.673+02:00\"},\"2vGGRC7gOCFTBiYSkMCfXQ\":{\"token\":\"$2a$10$ykxrUsRX0yZOtLW03cbqyezhVQ4fqnLHBrVIgilIaxhp0d8hqCE0m\",\"expiry\":1500618218,\"last_token\":\"$2a$10$dEf3s9O.Upz4cG0xAwEOC.Axlw70Xm9fsy9f2UP5iqffGT1BPLEze\",\"updated_at\":\"2017-07-07T08:23:38.253+02:00\"},\"kkuI52Vq05TOCSVBgHGWHA\":{\"token\":\"$2a$10$XDPo.nKeRj.blboiVey8u.sh7vlubmRo5k/B86l5AvL3ZJw.0yjhG\",\"expiry\":1500621303,\"last_token\":\"$2a$10$RkvthXkouoosD2l3OVFNqetvlfG686Ltac1TAlO9to0SMOpSgpKue\",\"updated_at\":\"2017-07-07T09:15:03.323+02:00\"},\"DqpFWUYwTyHsq0z5V-H3sA\":{\"token\":\"$2a$10$vaeWtFcZiwA85dtRtwhRj.Ko0WMS.9gL0eDdhfTVoIIvIT7aN8BEy\",\"expiry\":1500621764,\"last_token\":\"$2a$10$.Ssm5ZSlVL/4Wr3FOUkOTOs/xP/V/vxGS01.zwe.5ictpoOD7xsHi\",\"updated_at\":\"2017-07-07T09:22:44.824+02:00\"}}' WHERE `users`.`id` = 2
(1.5ms) COMMIT
Completed 200 OK in 235ms (Views: 0.2ms | ActiveRecord: 9.0ms)
So to me it looks like the user is sign in the application, but devise is not returning anything.
//EDIT//
I've cloned https://github.com/neroniaky/angular2-token-example and that's working locally. Although I still get the 'Unpermitted parameter: session' error. It looks like there's something wrong with my front-end though. Going to investigate and post the result later.

Devise token auth gem querying database twice for authenticating user

I am using devise token auth gem in my Rails 5 API for authentication.
class V1::HuntsController < V1::MainController
include DeviseTokenAuth::Concerns::SetUserByToken
before_action :authenticate_user!
def index
end
end
But when I look at my logs, I see that there is two database queries to find the user. One from before_action :authenticate_user and the other from update_auth_header from after_action added by DeviseTokenAuth module.
Started POST "/v1/hunts" for 192.168.0.103 at 2016-12-07 15:41:03 +0530
Processing by V1::HuntsController#create as JSON
Parameters: {"title"=>"dddd", "clue"=>"dd", "hunt"=>{"title"=>"dddd", "clue"=>"dd"}}
User Load (0.2ms) SELECT "users".* FROM "users" WHERE "users"."uid" = ? LIMIT ? [["uid", "raj#email.com"], ["LIMIT", 1]]
User Load (0.2ms) SELECT "users".* FROM "users" WHERE "users"."id" = ? LIMIT ? [["id", 15], ["LIMIT", 1]]
(0.1ms) begin transaction
(0.0ms) commit transaction
Completed 204 No Content in 102ms (ActiveRecord: 1.0ms)
Why is it firing another database query for user when current_user is already available? The database query doesnt seem to be cached also as it takes the same time to load.
I doubt if this is due to the default behavior in which token changes with each request. I have disabled this in my configuration.

Devise skip authentication on /assets requests

I concede that this is more of a nuisance in development and will be less troublesome in production, but even in production, I don't want devise to be authenticating or adding any overhead whatsoever to /assets requests.
In development, we see a slew of the following (currently about 30 for each of our asset files):
Started GET "/assets/application.js?body=1" for 127.0.0.1 at 2015-09-01 11:53:40 -0500
AfCore::User Load (0.1ms) SELECT `users`.* FROM `users` WHERE `users`.`id` = 8 ORDER BY `users`.`id` ASC LIMIT 1
I looked and couldn't find any options related to skipping assets, and I don't see where we explicitly added them unless something like protect_from_forgery with: :exception is causing this.
How can we have devise skip all asset requests?

I happen to have access to the source code and it is related to a rack component. Calling warden.user in a rack component is request based and will query for the user for each request. Here is the code used to diagnose:
puts 'before warden.user'
if warden.presence && warden.user.presence
security_context.user = warden.user
end
puts 'after warden.user'
and the console output:
before warden.user
User Load (0.4ms) SELECT `users`.* FROM `users` WHERE `users`.`id` = 3 ORDER BY `users`.`id` ASC LIMIT 1
after warden.user
*****EDIT*****
This can be skipped with:
def call(rack_env)
if rack_env['PATH_INFO'] =~ /^\/assets/
# avoid retrieving the session's user for unnecessary calls - assets/validators
#app.call(rack_env)
else
...
# warden.user stuff
...
#app.call(rack_env)
end

ActionController::Live with SSE not working properly

I'm trying to use Live Streaming in Rails 4.0.1 in one project but I see problems...
I have this action:
def realtime_push
response.headers['Content-Type'] = 'text/event-stream'
sse = SSE.new(response.stream)
d = Domain.find(params[:domain_id])
begin
loop do
backlinks = d.backlinks.page(params[:page]).per(10)
pagination = render_to_string(:partial => 'backlinks/pagination', :layout => false, :locals => { :backlinks => backlinks })
sse.write({ :html => pagination }, :event => 'pagination')
sleep 1
end
rescue IOError
# When the client disconnects, we'll get an IOError on write
logger.debug "DISCONNECTED"
ensure
sse.close
end
end
When I start Puma and try to get updates:
curl http://localhost:3000/domains/16/backlinks/realtime_push
curl immediately returns with no output.
Curl headers:
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-UA-Compatible: chrome=1
Content-Type: text/event-stream
Cache-Control: no-cache
X-Request-Id: 1a07be2f-de8d-4ca8-87d0-eee2787ea649
X-Runtime: 0.250782
Transfer-Encoding: chunked
and Puma log shows:
Started GET "/domains/16/backlinks/realtime_push" for 127.0.0.1 at 2013-11-08 12:22:30 +0100
ActiveRecord::SchemaMigration Load (0.7ms) SELECT "schema_migrations".* FROM "schema_migrations"
Processing by BacklinksController#realtime_push as */*
Parameters: {"domain_id"=>"16"}
Domain Load (1.9ms) SELECT "domains".* FROM "domains" WHERE "domains"."id" = $1 LIMIT 1 [["id", "16"]]
(3.3ms) SELECT COUNT(*) FROM "backlinks" WHERE "backlinks"."domain_id" = $1 [["domain_id", 16]]
Rendered backlinks/_pagination.haml (60.6ms)
(0.6ms) SELECT COUNT(*) FROM "backlinks" WHERE "backlinks"."domain_id" = $1 [["domain_id", 16]]
Rendered backlinks/_pagination.haml (36.0ms)
(0.8ms) SELECT COUNT(*) FROM "backlinks" WHERE "backlinks"."domain_id" = $1 [["domain_id", 16]]
Rendered backlinks/_pagination.haml (37.5ms)
(0.8ms) SELECT COUNT(*) FROM "backlinks" WHERE "backlinks"."domain_id" = $1 [["domain_id", 16]]
Rendered backlinks/_pagination.haml (35.6ms)
(0.7ms) SELECT COUNT(*) FROM "backlinks" WHERE "backlinks"."domain_id" = $1 [["domain_id", 16]]
Rendered backlinks/_pagination.haml (38.7ms)
(0.7ms) SELECT COUNT(*) FROM "backlinks" WHERE "backlinks"."domain_id" = $1 [["domain_id", 16]]
Rendered backlinks/_pagination.haml (37.0ms)
So these things are strange:
curl returned no output
log says it rendered pagination 6 times
there was no "DISCONNECT" message in the log
Any ideas? If I comment out the two lines above sse.write and return some text instead of pagination contents, it works...
Here is the SSE class:
class SSE
def initialize io
#io = io
end
def write object, options = {}
options.each do |k,v|
#io.write "#{k}: #{v}\n"
end
#io.write "data: #{JSON.dump(object)}\n\n"
end
def close
#io.close
end
end

This is a bug in render_to_string.
Monkey patch to fix this (that actually doesn't fix the problem - see below):
def render_to_string(*)
orig_stream = response.stream
super
ensure
if orig_stream
response.instance_variable_set(:#stream, orig_stream)
end
end
Source: http://blog.sorah.jp/2013/07/28/render_to_string-in-ac-live
UPDATE: this only appears to fix the problem... although it will cause the controller to actually send the data, the receiving end in JavaScript for some reason still won't get notified of events, see here: SSE (Server-sent events) not working

Resources