Hello I'm using the devise_auth_token
gem, and testing my server with postman with a PUT request to /
following this indications :
Account updates. This route will update an existing user's account settings. The default accepted params are password and
password_confirmation
, but this can be customized using thedevise_parameter_sanitizer
system. Ifconfig.check_current_password_before_update
is set to:attributes
thecurrent_password
param is checked before any update, if it is set to:password
thecurrent_password
param is checked only if the request updates user password.
I made this request ->
Header :
"access-token": "wwwww",
"token-type": "Bearer",
"client": "xxxxx",
"expiry": "yyyyy",
"uid": "zzzzz"
Body :
{
"name": "MI NOMBRE",
"nickname": "MI APODO",
"role": "MI ROL"
}
and i get this error : Please submit proper account update data in request body.
This are my permited params in application_controller.rb
:
protect_from_forgery with: :null_session
before_filter :configure_permitted_parameters, if: :devise_controller?
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) << :password_confirmation
devise_parameter_sanitizer.for(:account_update) do |user_params|
user_params.permit(:role, :email, :nickname, :name, :password, :password_confirmation)
end
end
My server message :
Processing by DeviseTokenAuth::RegistrationsController#update as */*
Can't verify CSRF token authenticity
User Load (0.2ms) SELECT "users".* FROM "users" WHERE "users"."uid" = ? LIMIT 1 [["uid", "test2@gmail.com"]]
Filter chain halted as :validate_account_update_params rendered or redirected
Completed 422 Unprocessable Entity in 85ms (Views: 0.2ms | ActiveRecord: 0.5ms)
In case your testing this on local machine you'll probably need to allow cross site requests first. Update your Gemfile
and run bundle install
:
group :development do
gem 'rack-cors'
end
in config/environments/development.rb
add following:
config.middleware.insert_before 0, Rack::Cors do
# allow all origins in development
allow do
origins '*'
resource '*',
:headers => :any,
:methods => [:get, :post, :delete, :put, :options],
:expose => ['access-token', 'expiry', 'token-type', 'uid', 'client'],
:max_age => 0
end
end
Then on client side there are multiple libraries you can use. All of them would store the auth-token
on client (cookies, session store, ...) and then inject token into each request. Depending on your stack you can choose from:
Basically the validation looks like this (image from ng-token-auth
):
When client HTML was rendered on server (Rails) it was common practice to include CSRF tag somewhere in page layout:
<%= csrf_meta_tag %>
If you really want do do this with postman and let's say you have just JSON API, you can do set token in application_controller.rb
:
before_action :set_token
def set_token
response.headers['X-XSRF-TOKEN'] = form_authenticity_token
end
now when you send GET /
you'll be able to retrieve
X-XSRF-TOKEN: Tjbsg1RYL6bBoCK1u1As8/SO09V+vZ+IOyfNrRXdyfNb9DeWjwnArv6IZkyr2+ayMchwywXPyausYOQhWNGK1g==
from response headers. And afterwards you have to use it for submitting PUT
request. That's just to illustrate how this works, using some library for managing tokens is a better idea.
In case someone is looking for a solution, after setting up cross site requests using gem 'rack-cors'.
In application_controller.rb
add following:
before_action :configure_permitted_parameters, if: :devise_controller?
def configure_permitted_parameters
devise_parameter_sanitizer.permit(:sign_up, keys: [:name, :password_confirmation])
devise_parameter_sanitizer.permit(:account_update, keys: [:name, :nickname, :image])
end
Tested and works in Rails 5.2.1
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.