Using OmniAuth (with omniauth_crowd), I'd like user to be redirected back to the login page if he doesn't submit right username and password. It works fine in production, but I have annoying problem testing it.
To mock OmniAuth provider, I use the following code, as recommended by the author of OmniAuth plugin:
OmniAuth.config.test_mode = true
OmniAuth.config.mock_auth[:someProvider] = :invalid_credentials
visit_page #page
The code above automatically (i.e. without entering username and password) redirects Capybara to the session#failure. My session#failure redirects to the login_path.
Thus I end up in a loop:
redirected more than 5 times, check for infinite redirects. (Capybara::InfiniteRedirectError)
What is the best workaround for my case?
I had a simular issue with Omniauth.
Not sure if there is a workaround, since it is the way OmniAuth.config.mock_auth works.
My solution was to use fakeweb instead of the OmniAuth mocking.
You should probably start off by looking at how omniauth_crowd is tested itself.
Here is a good example:
https://github.com/robdimarco/omniauth_crowd/blob/master/spec/omniauth/strategies/crowd_spec.rb#L49-69
Related
We use devise on our rails app in order to deal with sign-in and authentication. Basically, the process is quite straightforward: you sign up, get the confirmation email with the link pointing to a route such as path/page/confirm/token. Once authenticated, the user is redirected to page/login in order to enter his login/password and access the service.
Right now, we would like to login automatically the user that clicks this link right after he reaches the page/confirm/token.
I've been investigating, and it seems like a method that was initially used by people after devise 3.1 to have this behavior:
config.allow_insecure_sign_in_after_confirmation = true
I was planning to use this in the initializers/devise.rb, but unfortunately it also seems like it have disappear from devise methods, I ran these commands on console to check:
gem install devise
pry
require 'devise'
Devise.methods
... no allow_insecure_sign_in_after_confirmation method there.
I might try to do this manually in the confirmation controller with something custom like:
def show
u = User.find_by(confirmation_token: params[confirmation_token])
sign_in(u)
end
But unfortunately, again, it's not working as expected.
Any input is appreciated.
Running Windows 8 with Rubystack, Ruby 2.0.0p353, Rails 4.0.3. Built own application using Rails Composer including Devise, CanCan and Rolify. Trying to configure remember_me to be set on every user except admins and have those users remain logged in basically forever. Seems to be working in the code, but I'd like to see what the cookie is saying. I haven't yet worked with cookies and am looking for a thread to pull to unravel that mystery.
I add this code to app/models/user.rb to set remember_me:
def remember_me
true unless self.admin?
end
In config/initializers/devise.rb, I set the following variables:
config.remember_for = 10.years
config.extend_remember_period = true
Users with standard user role have the PostgreSQL column remember_create_at set as long as they are logged in. It is cleared when they logout. Users with admin role never have this column set. That seems right.
I just cannot get my head around checking the cookie out. I believe it should have remember_me information in it so that the standard role user remains logged in across browser sessions? How can I dig that information out and verify it? Thanks...
Are you just trying to inspect the cookies on the browser side? Firebug has a cookies tab for that, and if you're using Chrome, you can view them under Resources > Cookies in the web development tool.
I'm using Omniauth with Devise using the google_oauth2 strategy.
It works well, but now I'd like to change the authorize path with something of my choice.
Actually it's http://localhost:3000/users/auth/google_oauth2 while I'd like a much simpler http://localhost:3000/login since it's simple to remember.
It would not raise any error since I've disabled the Devise database authenticable (the only way to login is through a google account).
How can I do?
Thanks.
You can see how to change url prefix here How to change route of omniauth from /auth/:provider to /myapp/auth/:provider
So it is almost what you need.
I'm using Devise with multiple scopes (in this case, a user scope and an admin scope) and admins are able to 'become' a user using the approach on the Devise wiki. This works well, except that I have one particular page that requires the use of an auth token that causes a problem with a session logged in under both a user and admin scope. The page generates a POST to a controller that requires a user to be logged in using the user auth token. The POST succeeds, but afterwards, the admin scope has been signed out. (Meaning that admin_signed_in? returns false.) Other pages that execute POSTs to the same controller without requiring the auth token work as expected without logging out the admin scope.
I suspect that something is going on with token_authenticatable where the authentication of any scopes other than the one associated with that specific token are logged out. I've searched for references in the devise gem source to both the devise sign_out and warden logout methods that could be invoked as part of the token_authenticatable functionality and wasn't able to find anything.
This is happening with Devise 1.3.4. Any help is appreciated.
In case anyone else is looking for a solution to this, I found that the before_filter/after_filter approach I described in the comment to my question seems to work fine. I think that a better, more general solution to this would be to make a change to the devise gem and underlying calls to warden, but didn't have time to make those changes for this particular problem yet.
I'm having a ton of issues with Devise, using OmniAuth, to authenticate my Rails app. I relaunch my server and open up a new tab in Incognito mode (so that the cookies are cleared) and load my app. I log in, and then go through to the app.
When I get to a page that calls an authenticated action via AJAX, it asks for a username and password via HTTP Basic Authentication. I've disabled this in my devise.rb.
config.http_authenticatable = false
config.http_authenticatable_on_xhr = false
When I then go back to a previous page, it redirects me to the login page and asks for a login. This also happens when I visit a page that doesn't require authentication and then go back to an authenticated page.
This is getting immensely frustrating. I've unpacked Devise and Warden to my vendor/gems directory so that I can try to debug it, but I honestly can't figure out where to begin. Any help would be hugely appreciated.
Your AJAX call probably isn't setting the CSRF token. You might need to update your UJS gem (jquery-rails probably) or manually set the X-CSRF-Token HTTP header to the value of the tag. See this question: Devise session immediately expiring on .js call [AJAX]. You can test if this is the problem by disabling CSRF protection temporarily by chucking config.allow_forgery_protection = false in config/application.rb.
If you go the manual route, you should probably grab the value of the 'authenticity_token' meta tag first, and use that as the name of the actual token meta tag, rather than hard coding the reference to 'csrf-token'.
I would recommend updating to Rails 3.0.10 or 3.1 if you can. I was still having problems on 3.0.7.