im running rails 2.3.8, authlogic 2.1.6 and the extension for facebook connect (https://github.com/studybyte/authlogic_facebook_connect)
the facebook side is working good, user click on facebook connect button, goes to facebook, logs in and returns to my app.
my problem is very simple but i cant figure it out. when user is redirected to my site after logging in, if is a new user, i create a new record. Since it comes from facebook the user has no email or password but the user is not saved because authlogic fails password and email validation.
the authlogic_facebook_connect shouldnt skip these validations?
i realized that i don't have to create a user, the plugin is supposed to do that for you. You just have to login the user after he connects to facebook.
It didnt work before because a did not create the facebook_session_key field but facebook_access_token instead.
It should. It's supposed to call save(:validate => false) (in Rails 3.1 or save_with_validation(false) for older version if I remember correctly) to skip the validations.
Related
I've upgraded to Devise 3.2.1 and Rails 4.0, and I'm trying to figure out my signup now that one doesn't login on confirmation.
I allow users to create a message and specify the recipient of the message via an email address. Then I send emails notifying the recipient that they've received a message on the service. If the recipient doesn't have an account on the service, I create the account without a password, and the email I send to the recipient acts a confirmation email. With prior versions, the recipient would then click on the link, thus confirming, and then be taken to a password creation stage and then finally, they'd have a confirmed account created with password and can go see the message.
With Devise 3.1, they no longer allow login via confirmation as they consider it a security risk, however I fear it may greatly increase the complexity of my sign up process. I can no longer redirect to a password creation page as they aren't logged in. I'm toying with the idea of taking them to a special signup page or creating the account and then sending a special form of password reset.
I don't want to notify them via email, then send them a second email as a confirmation. That adds unnecessary complexity to my signup.
I wondered if anyone else has dealt with this issue and how they handled it. I'd like to avoid using:
config.allow_insecure_sign_in_after_confirmation = true
as that will go away soon and is really not the right way.
Is there a secure, yet fast way to do this with Devise 3.2?
Thanks!
I'm switching to using sorcery ( https://github.com/NoamB/sorcery ) for greater control over authentication and building my flow with that.
This is precisely the problem that devise invitable gem solves in a secure manner. I would recommend using this tool, rather than trying to hand-roll your own solution which is more likely to contain security flaws.
The gem workflow is basically:
An admin invites a new user.
The new user is created with a random password. (I actually helped write this bit!)
The user is sent an invitation email. (This is fully customisable in how it works, but has some simple default settings.)
The user receives a link, which contains a URL with a unique invitation_token.
After clicking this link, the user must choose their real password.
I am trying to implement omniauth twitter to authenticate user using twitter in my application. When I try to "login with twitter", It takes me to "Authorize App" twitter page. When I click "Authorize App" button, It tries to redirect me to my app and shows me as as already logged user in twitter.( as I am already logged in twitter in another tab of my browser). But then I display me registration page without persisting username. I am following Ryan http://railscasts.com/episodes/235-devise-and-omniauth-revised devise with omniauth. How to persist username when log in with twitter. Please suggest me.
I have attached my application code on below link.
app code
Please let me know if you need more code to be pasted.
I had the same problem.
Devise is looking for an email. Can't be persisted without.
You can :
- change the email field null=>true using a migration
- generate a dummy email when provider is twitter
There's this mother app which is on Java (Struts), which also handles authentication. My Rails app which is being integrated into the mother app uses authlogic. Ofcourse, the requirement is, once someone logs into the mother app, they should automatically be able to access my Rails app without signing in again.
Is there any way, by using just the user id , I can authenticate the user using Authlogic?
I removed my password column in my Users table and stuck this piece of code into the User model.
acts_as_authentic do |config|
config.check_passwords_against_database = false
config.validate_password_field = false
config.crypted_password_field = false
end
But I'm still not able to do what I wanted to do.I get an error indicating that the password can't be blank.Help would be appreciated! Thanks.
Just pass a user object instead of login/password
UserSession.new(User.find_by_username('Shreyas Satish'))
(This works with rails 3 and authlogic 2.1.6)
I'm using devise to handle user authentication with my rails app. I'd like to allow my users to sign up and be instantly logged in and receive a confirmation email.
Devise has the Confirmable module which sends out an email but requires the user to open up their mail application, find the email and click a link which then leads them to the site again.
I'd like to just email the user a confirmation that they signed up and that's it.
Is there a way for devise to do this or do I need to resolve to handling ActionMailer myself (if so, is there a quick and non-complex example)?
Many thanks!
-Tony
I'm pretty new to devise and rails, but I have set it all up in may app (rails 2.3.5) and got it working in it's basic functionality. I'm guessing some advanced devise users may teach you a trick to handle this in devise, but I'm going to say that you could easily handle this in a controller action, using some plain rails ActionMailer coding...
Here's a link that I ran across that will show you the basic approach. At the end of the tutorial, they gather the email parts from a simple web page, but you should easily see how to use the class to do it in code.
http://www.tutorialspoint.com/ruby-on-rails/rails-send-email.htm
check out #user.skip_confirmation!
it sets a user as confirmed but doesn't generate the confirmation_token or send the email.
I am trying to enable openid authentication on my website as well as use auto_register feature of latest authlogic_openid add-on.
Everything works fine until second login. The first time user is created and logged in, but after I logout and try logging in into the system with same OpenID identifier I get user registration form with errors saying that username and other fields are already taken and the form is prefilled with values of earlier data passed with openid.
Everything is implemented by authlogic/authlogic openid tutorial except for the user session model with new auto_register call:
class UserSession < Authlogic::Session::Base
auto_register
end
Any help much appreciated!
It seems like you're registering the users twice. The OpenID plugin doesn't know whether or not a user has been registered it just does SREG every time if auto_register is true. Rather than calling auto_register every time you could look up the user by openid_identifier and send auto_register(true) if they're a new user.
I've found http://github.com/gaizka/authlogic_openid
His version of the Authlogic Open ID extension seems to work with the auto_register feature... although I can't get it to capture the emails correctly from SREG (works with regular registration).
There's a demo of it working here:
http://big-glow-mama.heroku.com/
http://github.com/holden/authlogic_openid_selector_example/tree/with-facebook/