I'd like to override the way Devise currently handle the login flow. I don't need/want /users/sign_in, I just want to use my own root_path for login handling, i.e. logging user in and handling failed password entries.
I have successfully created the form which logs in, but if an user fails to put his/her password correctly, he/she being redirected to /users/sign_in. How to make sure I keep on the same action and handle failed passwords?
This is probably what you're looking for: https://github.com/plataformatec/devise/wiki/How-To:-Change-the-default-sign_in-and-sign_out-routes
Related
I have a rails application which uses devise for authentication. when the application sends any notification to the user, then in order to see the notification or messages i provide a link to my rails application which redirects to a login page.
how can i avoid this login process, means i don't want the user to be asked to login by entering email and password, instead whenever the user clicks on that link, then the user should automatically login.
Devise provides sign_in controller helper which allows you to pass authentication programmatically.
sign_in(user)
I create an app using two devise model, user and admin.
I'm following the devise wiki from this link, I'm using the option 1
How To: Add an Admin Role
So I open two page at the same time, the user login page and the admin login page.
When I login in the admin login page it succeed but when I login on the user page it raise an error ActionController::InvalidAuthenticityToken same goes with the other way.
But if I refresh the page first then I login it will succeed.
Are they using the same AuthenticityToken? So when the admin logged in, the AuthenticityToken is changed so when I try to login with the user it raise an InvalidAuthenticityToken?
Thanks.
The behaviour you are seeing is expected.This is because the value of csrf token changes once you sign in,expiring the old value.
There is a workaround to disable CSRF protection for the sign_in action in the ApplicationController. Look here: https://github.com/plataformatec/devise/issues/3102
Use case: User fills out a form to add a product and register at once. When the user has submitted the combined form, the app authenticates the user and is logged in (assume validations passed) without the need to confirm or login.
I've removed the confirmable feature out, but when the user fill out the form, it succeeds, but the user doesn't get logged in unless they go to a login form. This isn't such a great experience, so is there a way to Register a user and immediately log them in?
What I actually wanted was sign_in(#user) from my controller
If you want to login without confirmation then Remove :confirmable option from devise options in User model.
Is there a way to ask all users to change their passwords upon
logging into a Rails application using Devise authentication? In other words, I'd like a way to "expire" a password, so that the next time a user signs in, they have to change it.
I don't think that Devise can do that out of the box, but i guess it's pretty to do it yourself. What i would do :
Upon user sign in, i would nil out the encrypted_password field of the database.
I would have overriden devise's session controller (responsible for the logins), in order to check whether encrypted_password of a user that tries to log in is nil.
If that was nil, i would redirect them to login, also flashing an error like "Your password has expired. Please create a new one."
I'm using Rail3 with Devise gem. It does a great job when you need to lock user from signing in.
But it works just for new login attempts.
If he is already logged in - it won't sign him out immediately.
Here's is the typical use case:
Given admin user
when detects suspicious activity of certain user he locks it with malicious_user.lock('locking-reason')
% can config/initializers/session_store.rb
AppFoo::Application.config.session_store :cookie_store, :key => '_foo_session'
Given HTTP's statelessness, you can't immediately log out a user because you will need to wait until they make another request to your server. You could get around this via a push service I suppose, but that would be overkill.
My solution would be to add that person to a blacklist and then check if they're on the blacklist whenever they try to access a section intended for logged-on users only. This will render them unable to log on until you decide whether or not their activity is suspicious.
Example:
User is suspected of intolerable activity
Admin wants to check this out, so they temporarily add the user to the blacklist.
User clicks on an area of the page they were currently on when added to the blacklist.
Code checks for loggin status and blacklisted users.
Since the user is blacklisted, they are informed that they need to sign in to access the content
Once the user tries to sign in again you can inform them that their account has been temporarily disabled (or you can do this in the previous step).
perhaps the easiest way would be to redirect the user to the logout action when you lock them so:
malicious_user.lock('locking-reason')
redirect_to '/logout' and return
I'm not familiar with Devise so this may not be the best solution or even possible but it's how I would approach the problem
Use a before_filter in the ApplicationController that will do the following
before_filter :kick_out_blocked_user
protected
def kick_out_blocked_user
unless current_user.try(:active?)
redirect_to destroy_user_session_path
end
end