Rails - 远程设计通过发布凭据登录

时间:2014-12-25 04:14:16

标签: ruby-on-rails ruby authentication devise

我正在尝试创建一些功能,允许远程站点通过将表单的登录凭据发布到Devise Session Controller来登录用户。不是让用户通过Devise Login页面输入他们的凭证,而是自动登录。

我不打算远程验证API请求,我不打算实施SSO策略。从用户的角度来看,他们将使用不同的网站,并且新窗口会弹出重定向到我的远程Rails应用程序,而无需登录。

我已经超越了Devise Sessions控制器:

class Users::SessionsController < Devise::SessionsController
# Override the action you want here.

protect_from_forgery with: :null_session

def create
    puts "Made it in override"

    self.resource = warden.authenticate!(auth_options)
    set_flash_message(:notice, :signed_in) if is_flashing_format?
    sign_in(resource_name, resource)
    yield resource if block_given?
    respond_with resource, location: after_sign_in_path_for(resource)

    puts "After the override method"
end
end

以下是控制台结果:

Started POST "/users/sign_in" for 127.0.0.1 at 2014-12-24 22:59:54 -0500
ActiveRecord::SchemaMigration Load (0.4ms)  SELECT `schema_migrations`.* FROM `schema_migrations`
Processing by Users::SessionsController#create as HTML
Parameters: {"user"=>{"email"=>"user@abc.com", "password"=>"[FILTERED]"}}
Can't verify CSRF token authenticity
Made it in override
User Load (0.6ms)  SELECT  `users`.* FROM `users`  WHERE `users`.`email` = 'greg@cronin.com'  ORDER BY `users`.`id` ASC LIMIT 1
(0.2ms)  BEGIN
SQL (0.6ms)  UPDATE `users` SET `current_sign_in_at` = '2014-12-25 03:59:54', `last_sign_in_at` = '2014-12-25 03:54:32', `sign_in_count` = 38, `updated_at` = '2014-12-25     03:59:54' WHERE `users`.`id` = 2
(78.5ms)  COMMIT
Redirected to http://localhost:3000/reps/1
After the override method
Completed 302 Found in 261ms (ActiveRecord: 81.0ms)


Started GET "/reps/1" for 127.0.0.1 at 2014-12-24 22:59:55 -0500
Processing by RepsController#show as HTML
Parameters: {"id"=>"1"}
Completed 401 Unauthorized in 9ms

Started GET "/users/sign_in" for 127.0.0.1 at 2014-12-24 22:59:55 -0500
Processing by Users::SessionsController#new as HTML
Rendered devise/shared/_links.erb (1.5ms)
Rendered devise/sessions/new.html.erb within layouts/application (13.8ms)
Completed 200 OK in 123ms (Views: 121.1ms | ActiveRecord: 0.0ms)

登录逻辑执行且登录凭据正确,但重定向返回401 Unauthorized并导致Devise再次提示输入凭据。

知道用户未经过身份验证的原因吗?

1 个答案:

答案 0 :(得分:1)

跨站点请求伪造(csrf)正在执行其设计目的,阻止用户将来自网站外部的请求发送到您的页面,请在日志中注明此部分

Can't verify CSRF token authenticity

在您的控制器中,您会找到:

protect_from_forgery with: :null_session

这意味着如果检测到违规,请不要将会话数据用于当前请求,这就是为什么您发现自己没有登录,我不知道如何克服它,但您可以检查devise gem wikis并阅读如何使用您想要的方式从另一台服务器启动会话(除了删除csrf保护)

您可能还想查看与this blog post

相关联的from here
相关问题
最新问题