devise_token_auth update request

Question

Hello I'm using the devise_auth_token gem, and testing my server with postman with a PUT request to / following this indications :

Account updates. This route will update an existing user's account settings. The default accepted params are password and password_confirmation , but this can be customized using the devise_parameter_sanitizer system. If config.check_current_password_before_update is set to :attributes the current_password param is checked before any update, if it is set to :password the current_password param is checked only if the request updates user password.

I made this request ->

Header :

"access-token": "wwwww",
"token-type":   "Bearer",
"client":       "xxxxx",
"expiry":       "yyyyy",
"uid":          "zzzzz"

Body :

{  
  "name": "MI NOMBRE",
  "nickname": "MI APODO",
  "role": "MI ROL"
}

and i get this error : Please submit proper account update data in request body.

This are my permited params in application_controller.rb :

protect_from_forgery with: :null_session
before_filter :configure_permitted_parameters, if: :devise_controller?

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) << :password_confirmation
    devise_parameter_sanitizer.for(:account_update) do |user_params|
      user_params.permit(:role, :email, :nickname, :name, :password, :password_confirmation)
    end
  end

My server message :

Processing by DeviseTokenAuth::RegistrationsController#update as */*
Can't verify CSRF token authenticity
  User Load (0.2ms)  SELECT  "users".* FROM "users" WHERE "users"."uid" = ? LIMIT 1  [["uid", "test2@gmail.com"]]
Filter chain halted as :validate_account_update_params rendered or redirected
Completed 422 Unprocessable Entity in 85ms (Views: 0.2ms | ActiveRecord: 0.5ms)

Answer 1

In case your testing this on local machine you'll probably need to allow cross site requests first. Update your Gemfile and run bundle install :

group :development do
  gem 'rack-cors'
end

in config/environments/development.rb add following:

  config.middleware.insert_before 0, Rack::Cors do
    # allow all origins in development
    allow do
      origins '*'
      resource '*',
          :headers => :any,
          :methods => [:get, :post, :delete, :put, :options],
          :expose  => ['access-token', 'expiry', 'token-type', 'uid', 'client'],
          :max_age => 0
    end
  end

Then on client side there are multiple libraries you can use. All of them would store the auth-token on client (cookies, session store, ...) and then inject token into each request. Depending on your stack you can choose from:

• ng-token-auth for AngularJS
• Angular2-Token for Angular2
• jToker for jQuery

Basically the validation looks like this (image from ng-token-auth ):

When client HTML was rendered on server (Rails) it was common practice to include CSRF tag somewhere in page layout:

<%= csrf_meta_tag %>

If you really want do do this with postman and let's say you have just JSON API, you can do set token in application_controller.rb :

before_action :set_token
def set_token
  response.headers['X-XSRF-TOKEN'] = form_authenticity_token
end

now when you send GET / you'll be able to retrieve

X-XSRF-TOKEN: Tjbsg1RYL6bBoCK1u1As8/SO09V+vZ+IOyfNrRXdyfNb9DeWjwnArv6IZkyr2+ayMchwywXPyausYOQhWNGK1g==

from response headers. And afterwards you have to use it for submitting PUT request. That's just to illustrate how this works, using some library for managing tokens is a better idea.

Answer 2

In case someone is looking for a solution, after setting up cross site requests using gem 'rack-cors'.

In application_controller.rb add following:

before_action :configure_permitted_parameters, if: :devise_controller?

  def configure_permitted_parameters
    devise_parameter_sanitizer.permit(:sign_up, keys: [:name, :password_confirmation])
    devise_parameter_sanitizer.permit(:account_update, keys: [:name, :nickname, :image])
  end

Tested and works in Rails 5.2.1