22

I use the devise's authenticate_user! method in a controller. This is working fine when the auth_token provided in the request is the correct one but if the authentication fails, I end up with:

curl -XGET 'http://localhost:3000/my_obj?auth_token=wrongtoken'

<html><body>You are being <a href="http://localhost:3000/users/sign_in">redirected</a>.</body></html>

As I use rabl, what is the best way to have something like

{'error' : 'authentication error'}

returned intead of the html redirection ?

Luc
  • 16,604
  • 34
  • 121
  • 183

2 Answers2

44

I do that in avoid the filter with :format => :json response and do my own filter to render my JSON response if no current_user pass

class MyController < ApplicationController
  before_filter :authenticate_user!, :unless => { request.format == :json }
  before_filter :user_needed, :if => { request.format == :json }

  def user_needed
    unless current_user
      render :json => {'error' => 'authentication error'}, :status => 401
    end
  end
end

An other way, can be cleaner is to define your own FailureApp ( https://github.com/plataformatec/devise/blob/master/lib/devise/failure_app.rb )

class MyFailureApp < Devise::FailureApp
  def respond
    if request.format == :json
      json_failure
    else
      super
    end
  end

  def json_failure
    self.status = 401
    self.content_type = 'application/json'
    self.response_body = "{'error' : 'authentication error'}"
  end
end

In your Devise config file add :

config.warden do |manager| 
  manager.failure_app = MyFailureApp 
end
aceofspades
  • 7,568
  • 1
  • 35
  • 48
shingara
  • 46,608
  • 11
  • 99
  • 105
  • 1
    I tried the second approach to avoid having to repeat the same code in all my controllers. I created the class MyFailureApp into lib/failure.rb and change the configuration. I do not manage to have it working though, I get the '!! Unexpected error while processing request: uninitialized constant MyFailureApp'. Any idea why this guy does not get loaded ? – Luc Apr 06 '12 at 10:31
  • You need require your file require 'failure' in your top of Devise configuration – shingara Apr 06 '12 at 11:39
  • happy it's work to you. I need using this cleanest way in my project too, lol – shingara Apr 06 '12 at 12:18
  • 2
    @shingara `== :json` is missing in `if request.format == :json`(`respond` method), isn't it?. Otherwise, the `json_failure` would be rendered in other formats such HTML as well. – atxe Apr 27 '13 at 22:22
  • This solution works great! However, when I tested the response body, I kept getting `JSON::ParserError` exceptions so I ended up setting the `response_body` as `{error: 'Authentication error'}.to_json`. Hope this helps someone. – vich May 23 '18 at 17:16
38

In newer versions of Devise (I'm using 2.2.0), you can use the navigational_formats option in the Devise config file, devise.rb:

# ==> Navigation configuration
# Lists the formats that should be treated as navigational. Formats like
# :html, should redirect to the sign in page when the user does not have
# access, but formats like :xml or :json, should return 401.
#
# If you have any extra navigational formats, like :iphone or :mobile, you
# should add them to the navigational formats lists.
#
# The "*/*" below is required to match Internet Explorer requests.
config.navigational_formats = ["*/*", :html]

So long as :json is not in that list, and your request ends in .json, it will behave as you want.

Lawrence
  • 10,142
  • 5
  • 39
  • 51