Getting error OmniAuth::NoSessionError with Rails 5 API

Question

I created a new Rails 5 application with rails new appname --api which seems great! I want to use it as a backend to a frontend with React and in time a Chrome App. For now I want to create an API.

I used the following gems

gem 'omniauth'
gem 'omniauth-oauth2'
gem 'devise'
gem 'devise_token_auth', git: 'git://github.com/lynndylanhurley/devise_token_auth.git'
gem 'omniauth-twitter'
gem 'omniauth-facebook'
gem 'omniauth-google-oauth2'

And I followed the directions on their Github and here to do the setup: http://www.developingandrails.com/2015/02/api-authentication-with-devisetokenauth.html

And now when I run the app I get:

Started GET "/" for 14.144.15.10 at 2016-07-17 17:21:46 +0000
  ActiveRecord::SchemaMigration Load (0.1ms)  SELECT "schema_migrations".* FROM "schema_migrations"
OmniAuth::NoSessionError (You must provide a session to use OmniAuth.):

I've looked for answers on Github and StackOverflow but no one seems to have the solution.

The only thing that seems to "fix" the problem is adding this:

 # config/application.rb
 config.middleware.use Rack::Session::Cookie

But this "solution" gives me this error in the console:

SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
        This poses a security threat. It is strongly recommended that you
        provide a secret to prevent exploits that may be possible from crafted
        cookies. This will not be supported in future versions of Rack, and
        future versions will even invalidate your existing user cookies.

Please help! Thanks.

score 20 · Answer 1 · edited Dec 16 '17 at 23:26

20

While config.middleware.insert_after worked for me, the same middleware was not loaded so I had to insert choose something else to insert it after. I found a similar answer in http://stackoverflow.com/questions/15342710/adding-cookie-session-store-back-to-rails-api-app and simply added:

config.middleware.use ActionDispatch::Cookies
config.middleware.use ActionDispatch::Session::CookieStore

in application.rb.

edited Dec 16 '17 at 23:26

hiroshi

6,871
3
46
59

answered Jan 16 '17 at 04:17

Derek

1,735
17
14

1

I believe this should be the accepted answer. No Runtime errors like the oreoluwa's answer – 0xtobit Jun 24 '19 at 16:57

score 13 · Answer 2 · answered Dec 12 '16 at 17:25

13

Unfortunately, omniauth requires rack.session presence to keep some data between the request to provider and the callback request.

https://github.com/omniauth/omniauth/blob/master/lib/omniauth/strategy.rb#L173

To Omniauth with Rails API needs to return a session to middleware stack:

config.middleware.insert_after ActiveRecord::Migration::CheckPending, ActionDispatch::Cookies
config.middleware.insert_after ActionDispatch::Cookies, ActionDispatch::Session::CookieStore

answered Dec 12 '16 at 17:25

Alex Kojin

5,044
2
29
31

How about `insert_before` OmniAuth? – Franklin Yu Jul 02 '17 at 20:34
1

Now the documentation provides this section [Integrating OmniAuth Into Your Rails API](https://github.com/omniauth/omniauth#integrating-omniauth-into-your-rails-api). Does that means now my app is using `cookie` session instead of a default `--api` only rails app? Or is it just for omniauth purposes and any security issue is actually present? – alexventuraio Oct 01 '19 at 22:18

score 8 · Accepted Answer · answered Jul 17 '16 at 18:31

8

Not totally sure, but something that worked for me in a project is:

  #config/application.rb
  config.middleware.insert_after(ActiveRecord::QueryCache, ActionDispatch::Cookies)
  config.middleware.insert_after(ActionDispatch::Cookies, ActionDispatch::Session::CookieStore)

answered Jul 17 '16 at 18:31

oreoluwa

5,553
2
20
27

1

Didn't work for me. I got `No such middleware to insert after: ActiveRecord::QueryCache (RuntimeError)` – thecrentist Jul 17 '16 at 21:16
comment out the `config.middleware.insert_after(ActiveRecord::QueryCache, ActionDispatch::Cookies)` then. – oreoluwa Jul 17 '16 at 21:17
That fixed the error "SECURITY WARNING" I was getting! Although I do worry that this makes it insecure and I'm somewhat of a beginner. Thanks for your help! – thecrentist Jul 17 '16 at 22:29
I wonder what you mean by insecure, though. By default, Rails API doesn't provide access to sessions/cookies, because those are not needed in a RESTful API context. However, the configurations basically says to include those in the middleware stack. The full Rails app already includes these which you can confirm by running `rake middleware` – oreoluwa Jul 18 '16 at 02:43
1

I guess being paranoid. Since I see that Rails API doesn't have it, I thought it'd be bad adding stuff. I need to read more and learn what's going on is my problem here. You helped me fix the issue and realize nothing is wrong :D – thecrentist Jul 18 '16 at 03:26
@crentist I guess those security warning is about using `ActionDispatch::Cookies` without `ActionDispatch::Session::CookieStore`. Data saved directly to the cookies through `#cookies` will not be signed and therefore insecure; you should typically save data with `#session` which will sign the data for you so that nobody else can tamper with it. `#session` is not available if you have `Cookies` without `CookieStore`. – Franklin Yu Jul 02 '17 at 22:33

Darlan Dieterich · Answer 4 · 2019-03-05T14:11:48.207

0

In your config/application.rb set the secret

config.middleware.use Rack::Session::Cookie, secret: "s3cr3t_k3y_3x@mpl3"

Ref.: https://www.rubydoc.info/gems/rack/Rack/Session/Cookie

edited Mar 05 '19 at 14:11

answered Mar 05 '19 at 14:02

Darlan Dieterich

2,369
1
27
37

Getting error OmniAuth::NoSessionError with Rails 5 API

4 Answers4