Devise logged in but unauthorized

Question

I have this problem with Devise following these actions:

I sign up a new user (works fine)
I confirm the user mail (works fine). At that point I am logged in normally, everything works fine.
Now if I log out and try to log back in I get an unauthorized error (401).

Looking at the server logs here what happens:

Started POST "/users/sign_in" for 127.0.0.1 at 2012-10-26 10:26:23 +0200
Processing by Users::SessionController#create as JSON
  Parameters: {"email"=>"olivier.milla@gmail.com", "password"=>"[FILTERED]",     "remember_me"=>"0"}
WARNING: Can't verify CSRF token authenticity
  User Load (0.0ms)  SELECT `users`.* FROM `users` WHERE `users`.`email` =     'olivier.milla@gmail.com' LIMIT 1
   (1.0ms)  BEGIN
   (0.0ms)  COMMIT
   (1.0ms)  BEGIN
   (0.0ms)  UPDATE `users` SET `current_sign_in_at` = '2012-10-26 08:26:23', `sign_in_count` = 2, `updated_at` = '2012-10-26 08:26:23' WHERE `users`.`id` = 1
   (25.0ms)  COMMIT
  Rendered devise/sessions/create.json.rabl (1.0ms)
Completed 200 OK in 135ms (Views: 22.0ms | ActiveRecord: 27.0ms)


Started GET "/accounts/new" for 127.0.0.1 at 2012-10-26 10:26:23 +0200
Processing by AccountsController#new as HTML
Completed 401 Unauthorized in 0ms

As you can see, I am logged in, I even get a view rendered (devise/sessions/create.json.rabl) and right after I get redirected to '/accounts/new' where I am not authorized anymore. I can then try to reach any URL I want and keep getting the unauthorized message.

I tried this on a new db (db:reset), I tried cleaning up cookies before log in.

Any idea where this behavior may come from?

I'm using Devise 2.1.2 with Rails 3.2.8.

UPDATE

As requested: AccountsController code:

class AccountsController < ApplicationController
  before_filter :authenticate_user!

  def :index
    @accounts = current_organization.accounts
  end

  def new
    @account = Account.new(:organization => current_organization)
  end

  def create
    @account = Account.new(params[:account])
    @account.organization = current_organization
    if @account.save
      redirect_to :index
    else
        #TODO
    end
  end
end

code in `AccountsController#new` would be very helpful – shime Oct 26 '12 at 08:59 — shime, Oct 26 '12 at 08:59
Just added it to the main post, thanks. – muichkine Oct 26 '12 at 09:25 — muichkine, Oct 26 '12 at 09:25
you didn't add the `new` action. – shime Oct 26 '12 at 09:28 — shime, Oct 26 '12 at 09:28

score 2 · Accepted Answer · edited May 23 '17 at 11:47

You should do this:

Make sure that you have <%= csrf_meta_tag %> in your layout
Add beforeSend to all the ajax request to set the header like below:

$.ajax({ url: 'YOUR URL HERE',
  type: 'POST',
  beforeSend: function(xhr) {xhr.setRequestHeader('X-CSRF-Token', $('meta[name="csrf-token"]').attr('content'))},
  data: 'someData=' + someData,
  success: function(response) {
    $('#someDiv').html(response);
  }
});

From: WARNING: Can't verify CSRF token authenticity rails

Althoug this is happening because you enabled :token_authentication in your model.

You may not want this.

Otherwise if you want to skip the authentication just for AJAX requests you may do this:

skip_before_filter :verify_authenticity_token, :if => Proc.new { |c| c.request.format == 'application/json' }

Regarding your real error, isn't it because you are checkin for :authenticate_user! user and using the current_organization in your code?

So if it is passing the authentication it will not necessarely have the current_organization value!

Hope it helps!

Your answer is awsome. Now everything works again! Thank you. — muichkine, Oct 26 '12 at 11:17

score 0 · Answer 2 · edited May 23 '17 at 11:50

0

WARNING: Can't verify CSRF token authenticity is the key. You need to pass csrf token with the ajax request, also make sure that you have csrf_meta_tag in your layout. WARNING: Can't verify CSRF token authenticity rails can be helpful.

edited May 23 '17 at 11:50

Community

1
1

answered Oct 26 '12 at 09:44

Mikhail Nikalyukin

11,867
1
46
70

Devise logged in but unauthorized

2 Answers2