So here's the scenario:
User can login normally through devise login. Once logged in, the user dashboard has embedded flash which makes calls to api on same server (both at localhost:3000 currently).
Calls to API are made with a supplied auth_token, using devise's token_authenticatable.
Here's there the problem occurs.
Once an API request is made, the logged in user is logged out.
I've done a lot of digging around but haven't found any solid leads on how I might solve this.
I believe the problem is because the call to the API is overwriting the user's cookie which was set by the browser. I tested this by watching auth cookie being set and being overwritten once the API is called.
FYI I'm developing in Chrome.
Any help is greatly appreciated. If I haven't gone into enough details please let me know if I can provide any other information that might help you diagnose the issue.
Thanks a lot
I think the problem is that you are not posting the CSRF token to your server. CSRF protection is on by default on all Rails application. You can bypass it by adding following line to your controller.
skip_before_filter :verify_authenticity_token
Related
I'm building an iOS app with Rails on the back-end.
The Rails application uses Devise for authentication and I want to use the same service for the authentication on the iOS app. Is there any way that after authenticating, keeping the session even after the app restarts, so that it goes straight to the content of the app instead of the login screen?
I've looked around, but haven't found a clear answer.
Thanks on advance!
One solution could be to extend the existing devise models and controllers to also handle a token based authentication system. Based on the request type html or json, the app can choose to authenticate a user either by the authentication token and email or a combination of username/email and password.
The authentication token could could be saved on the client side and reset only when the user logs out.
I was recently working on the same problem and found these sources to be extremely useful.
https://gist.github.com/josevalim/fb706b1e933ef01e4fb6
http://www.soryy.com/blog/2014/apis-with-devise/
https://github.com/lynndylanhurley/devise_token_auth
My team has developed an app using RoR. We're using devise gem for authorization. The problem is that the user session remains https even after a user signs out. This is causing some problems with varnish.
Could someone please point out how can I change it so that the session is http instead of https after logging out.
Thanks
I am making an instagram application using rails. Is it possible
to save some kind of 'token' or 'id' in my database that can be used
to automatically authenticate the user and allow the application to
access the user's profile data, images,etc,etc without asking the user
to enter the login details/authentication again and again. If it is possible please
tell me how it can be done.
Thanks in advance! :)
Yes, it is possible to get a token. Take a look at the documentation concerning authentication, it's pretty comprehensive.
http://instagram.com/developer/authentication/
I am adding twitter oauth login to my site . and so far i got it to work using oauth.
however every time i login i go through the whole authorization process. ( the prompt that allows the user to request or deny the application)
is there a way to by pass that once the user has authorized the app?
Perhaps i am misunderstanding the process also if so could you please clarify?
thank you
must use oauth_authenticate_url instead of oauth_authorize_url
I just had the same problem, after I solved it I made a template to set it all up. http://blog.ruedaminute.com/2010/12/everything-you-need-to-access-twitter-using-tweetr-api-and-air/
Ok this is something weird. I got authlogic-oid installed in my rails app today. Everything works perfectly fine but for one small nuisance.
This is what i did:
I first register with my google openid. Successful login, redirection and my email, along with my correct openid is stored in my database. I am happy that everything worked fine!
Now when i logout, my rails app as usual destroys the session and redirects me back to my root url where i can login again. Now if i try to login it still remembers my last login id. Not a big issue as i can always "Sign in as a different user" but i am wondering if there is anyway to not only logout from my app but also logout from google.
I noticed the same with stack overflow's openid authentication system.
Why am i so bothered about this, you may ask. But is it not a bad idea if your web apps end user, who happens to be in a cyber cafe, thinks he has logged out from your app and hence from his google account only to realize later that his google account had got hacked by some unworthy loser who just happened to notice that the one before him had not logged out from google and say.. changed his password!!
Should i be paranoid? Isn't this a major security lapse while implementing the openid spec? Probably today someone can give me a workaround for this issue and the question is solved for me. But what about the others who have implemented openid in their apps and not implemented a workaround?
If this is such a big issue to you, do not use OpenID, or display a DHTML popup after a successful log out reminding the users that their session is still valid on their OpenID provider.
As for Google's OpenID, what you can probably do is redirect users through the following URL after
http://www.google.com/accounts/ClearSID?continue=http%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fcontinue%3Dhttp%3A%2F%2Fwww.google.com%2F
Afaik, there is no way you can log the user out of their account in another system. Your app is supposed to be responsible only for it's own business. As a user, I'd be very surprised if a website using openid could log me out of my google account.
Yes, there is a scenario that a user can assume that they are logged out of google because they logged out on your site but that would (and should) be their own fault.