我正在尝试创建一些功能,允许远程站点通过将表单的登录凭据发布到Devise Session Controller来登录用户。不是让用户通过Devise Login页面输入他们的凭证,而是自动登录。
我不打算远程验证API请求,我不打算实施SSO策略。从用户的角度来看,他们将使用不同的网站,并且新窗口会弹出重定向到我的远程Rails应用程序,而无需登录。
我已经超越了Devise Sessions控制器:
class Users::SessionsController < Devise::SessionsController
# Override the action you want here.
protect_from_forgery with: :null_session
def create
puts "Made it in override"
self.resource = warden.authenticate!(auth_options)
set_flash_message(:notice, :signed_in) if is_flashing_format?
sign_in(resource_name, resource)
yield resource if block_given?
respond_with resource, location: after_sign_in_path_for(resource)
puts "After the override method"
end
end
以下是控制台结果:
Started POST "/users/sign_in" for 127.0.0.1 at 2014-12-24 22:59:54 -0500
ActiveRecord::SchemaMigration Load (0.4ms) SELECT `schema_migrations`.* FROM `schema_migrations`
Processing by Users::SessionsController#create as HTML
Parameters: {"user"=>{"email"=>"user@abc.com", "password"=>"[FILTERED]"}}
Can't verify CSRF token authenticity
Made it in override
User Load (0.6ms) SELECT `users`.* FROM `users` WHERE `users`.`email` = 'greg@cronin.com' ORDER BY `users`.`id` ASC LIMIT 1
(0.2ms) BEGIN
SQL (0.6ms) UPDATE `users` SET `current_sign_in_at` = '2014-12-25 03:59:54', `last_sign_in_at` = '2014-12-25 03:54:32', `sign_in_count` = 38, `updated_at` = '2014-12-25 03:59:54' WHERE `users`.`id` = 2
(78.5ms) COMMIT
Redirected to http://localhost:3000/reps/1
After the override method
Completed 302 Found in 261ms (ActiveRecord: 81.0ms)
Started GET "/reps/1" for 127.0.0.1 at 2014-12-24 22:59:55 -0500
Processing by RepsController#show as HTML
Parameters: {"id"=>"1"}
Completed 401 Unauthorized in 9ms
Started GET "/users/sign_in" for 127.0.0.1 at 2014-12-24 22:59:55 -0500
Processing by Users::SessionsController#new as HTML
Rendered devise/shared/_links.erb (1.5ms)
Rendered devise/sessions/new.html.erb within layouts/application (13.8ms)
Completed 200 OK in 123ms (Views: 121.1ms | ActiveRecord: 0.0ms)
登录逻辑执行且登录凭据正确,但重定向返回401 Unauthorized并导致Devise再次提示输入凭据。
知道用户未经过身份验证的原因吗?
答案 0 :(得分:1)
跨站点请求伪造(csrf)正在执行其设计目的,阻止用户将来自网站外部的请求发送到您的页面,请在日志中注明此部分
Can't verify CSRF token authenticity
在您的控制器中,您会找到:
protect_from_forgery with: :null_session
这意味着如果检测到违规,请不要将会话数据用于当前请求,这就是为什么您发现自己没有登录,我不知道如何克服它,但您可以检查devise gem wikis并阅读如何使用您想要的方式从另一台服务器启动会话(除了删除csrf保护)
您可能还想查看与this blog post
相关联的from here