I have a form on an site1.com that POST a devise user object to site2.com/users.
It works but the user is not signed in. I see it may be related because there's no CSRF token on the form on site1.com.
I'm a bit lost in how to solve this. Should I do an ajax call from site1.com to site2.com before the POST just to retrieve the CSRF? Any idea what would be a preferred way to do this?
depending on your site2 if it supports, you can post JSON over http
something like this
{"username": "", "password": "password", "application": ""}
it will be up to your second site how it processes.
Related
I am new to Rails and have setup devise with a User model with email and password with also a React frontend. My aim is to consume the signup/signin endpoints in a React app instead of using the default Rails view. When I go to http://localhost:3000/users/sign_up I can create an account and also see the data in PGadmin. However, I want to create a React based view for the forms and use the endpoint of the devise. I am trying to test the signup api using Postman but gives me an error 422 Unprocessable entity. Not sure what params to pass in Rails.
http://localhost:3000/users/sign_up
Used:
{
"user": {
"email": "test2#test.com",
"password": "test"
}
}
and
{
"email": "test2#test.com",
"password": "test"
}
First, you are in developement mode, so turn off the token authenticity (and turn on again if on product mode) for Postman requests, by add to app/controllers/application_controller.rb:
class ApplicationController < ActionController::Base
protect_from_forgery with: :null_session
end
Then, config Postman like this:
Type of request = POST
Url = http://127.0.0.1:3000/users
Body with form-data, with after keys, values
Key: user[email]. Value: test2#gmail.com
Key: user[password]. Value: secret
Key: user[password_confirmation]. Value: secret
Click on Send button you will bypass register page and get desire results (such as new user registration informations from Postgres if you not set the Confirmation mode in Devise User)!
Go on!
I sent a request to
/d2l/api/lp/1.30/users/
and created new student.
This is my request params
{
"OrgDefinedId": 'testId',
"FirstName": 'testUser222',
"MiddleName": '',
"LastName": 'LastName',
"ExternalEmail":'xxx#xxx.io',
"UserName": 'Sam',
"RoleId": '110',
"IsActive": true,
"SendCreationEmail": true
}
I can get this user using get request
/d2l/api/lp/1.30/users/344
I also activated this user by email and set new password.
I can login as this user at LMS.
But, i can't get this user using this request
/d2l/api/lp/1.30/users/
This user is not in the general list of users
What have I done wrong? Maybe I need some other additional request in order for it to be displayed in the general list of users?
I am assuming you are referencing this route - https://docs.valence.desire2learn.com/res/user.html#get--d2l-api-lp-(version)-users-
In order to have the user included in this call's response your api user account needs to have the "Users - Search for 'xxx-role'" permission enabled.
This route does page its response, so you may have to page through the response to find the specific user.
This route does support query parameter filtering, which will reduce the number of users included in the response.
I'm using devise_token_auth gem in my Rails 5 API application.
For testing all devise token routes i use Postman.
When I try to update a user account using PUT method on route "https://localhost:3000/auth", I fill the body of request with that:
{"data":{"name":"user1"}}
or
{"user":{"name":"user1"}}
the response comes back with "success" status and JSON representation of a user with the same (not updated) "name" attribute.
Does it mean that devise_token_auth does not provide such functionality and a have to overrride the User controller and a model ?
the first step is get tokens valids and after add the headers in the PUT request and add in the body this json format:
{
"name": "newname"
}
The URL for login in devise token is:
http://localhost:3000/auth/sign_in
For update params for example name copy in the body and do not forget add the values in the header
I hope you solve your problem
I want to develop restful API related to user authentication. please suggest if my URL designs looks ok. as a background information, these API use an LDAP directory such as microsoft AD.
user registration
POST /auth/register
payload : {username: "", password: ""}
user login
POST /auth/login
payload : {username: "", password: ""}
password change
PUT /auth/password_reset
payload : {username: "", old_password: "", new_password:""}
deactivate user
DELETE /auth/de_activate/{user_name}
activate a user
PUT /auth/de_activate/{user_name}
I do understand that I am using verbs in the URL. However, since these APIs create some resource [register API] as well as perform some actions [login api], I went ahead with the URLS above. I would appreciate any inputs through.
Regards
Prasad Katti
These are the changes I would make. I know that you know already that the URL paths should be nouns and your verbs should be GET, POST, DELETE, etc. to indicate that you want to view, create or delete a resource.
Instead of:
POST /auth/register do POST /registrations
Instead of:
POST auth/login do POST /logins or POST sessions
Your password reset route is okay, but I don't believe the action matches the resource.
Instead of:
PUT auth/password_reset do POST /password_resets
And yes, PUT actions are supposed to update or replace the resource, but what other resources do you have that require you to send the old and new values? The one above is still accurate, since you are creating a "password reset" which sets off a workflow of actions that may require people to check their email and click a link, but I think that doing PUT /passwords is misleading due to the payload that is required.
Instead of:
DELETE /auth/de_activate/{username} do DELETE /users/{username} or DELETE /users/{userId} or even PUT /users/{username} with {"active": false}. Personally, I think that hard vs soft deletes should be transparent through your API though.
And instead of:
PUT /auth/de_activate/{username} do PUT /users/{username} with {"active": true} or POST /users/{username}/reactivations.
The purpose of RESTful standards is to make a consistent and predictable API for clients. All it is really is a set of guidelines. It's not super-strict or anything so ultimately it's left up to your best judgement. These are just the adjustments I would make.
I am trying to update a user via PUT to /auth
via the docs:
Account updates. This route will update an existing user's account settings. The default accepted params are password and password_confirmation, but this can be customized using the devise_parameter_sanitizer system. If config.check_current_password_before_update is set to :attributes the current_password param is checked before any update, if it is set to :password the current_password param is checked only if the request updates user password.
It clearly needs something beyond just password and password_params as an identifier but neither email, id, or uid work. Also tried submitting with root user ie:
{
"user": {
"email": ""
}
}
but this also does not work.
I cannot figure out what this is expecting. Not sure if I am missing something obvious. Could anyone give me an example of the json format which this is expecting?