stackoom
  简体   繁体   中英

Unauthorize error on password update Devise

 原文  2016-03-14 08:31:46       ruby-on-rails/ ruby-on-rails-4/ authentication/ devise

Question

I'm working on a rails api and using devise_token_auth for the authentication, when I try to update password by hitting the /auth/password with put request it responsds with error 401 ie unauthorized. My server logs show me this

Started PUT "/auth/password" Processing by DeviseTokenAuth::PasswordsController#update as HTML Parameters: {"password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"} Can't verify CSRF token authenticity Completed 401 Unauthorized in

routes.rb 

mount_devise_token_auth_for 'User', at: 'auth' ,:controllers => { :omniauth_callbacks => 'omniauth'  }

view.html (angularjs) 

<div class="container">
    <div class="row">

    <div class="row">
       <div class="col-xs-6 col-xs-offset-3 que">
           <img src="./uploads/img/web-logo.png" class="img-responsive" alt="Logo">
       </div>
    </div>
        <div class="col-xs-12 reset-pas">
            <form  name="update_pass" ng-submit="updatePassword_controller()" role="form" class="lost_reset_password">
                <p class="error_msg" ng-show="update_pass.password_confirmation.$error.passwordVerify"> 
                    Passwords are not equal!
                </p>
            <label>New password</label>
            <input type="password" name="password"  ng-minlength="8"  ng-model="updatePasswordForm.password" required="required" class="form-control">
            <span>Minimum 8 Charachters</span>
    <br>
            <label>Re-enter new password</label>

            <input type="password" name="password_confirmation"  ng-minlength="8"  ng-model="updatePasswordForm.password_confirmation" required="required" class="form-control"  password-verify="updatePasswordForm.password" >
                <button type="submit" class="btn btn-default" id="reset-submit">Save</button>
            </form>
        </div>
    </div>
</div>

controller.js 

$scope.updatePassword_controller = function() {

  $auth.updatePassword($scope.updatePasswordForm)
    .then(function(resp) {
      console.log(resp)
      $location.path('/')
    })
    .catch(function(resp) {
      console.log(resp)
    });
};

Update Note I'm facing this issue only for password update

Update

I installed gem 'angular_rails_csrf' Now it's giving only the authorization error not the csrf attack error

2 answers

solution1
 1  2016-03-14 09:29:21

Use the Rails form_tag or form_for helpers. They add will add a hidden field for the XCSRF token: 

<div class="container">
    <div class="row">

    <div class="row">
       <div class="col-xs-6 col-xs-offset-3 que">
           <img src="./uploads/img/web-logo.png" class="img-responsive" alt="Logo">
       </div>
    </div>
        <div class="col-xs-12 reset-pas">
            <%= form_tag "#", { "ng-submit" => "updatePassword_controller()", "role" => "form", "class" => "lost_reset_password"} do %>
                <p class="error_msg" ng-show="update_pass.password_confirmation.$error.passwordVerify"> 
                    Passwords are not equal!
                </p>
            <label>New password</label>
            <input type="password" name="password"  ng-minlength="8"  ng-model="updatePasswordForm.password" required="required" class="form-control">
            <span>Minimum 8 Charachters</span>
    <br>
            <label>Re-enter new password</label>

            <input type="password" name="password_confirmation"  ng-minlength="8"  ng-model="updatePasswordForm.password_confirmation" required="required" class="form-control"  password-verify="updatePasswordForm.password" >
                <button type="submit" class="btn btn-default" id="reset-submit">Save</button>
            </form>
        </div>
    </div>
</div>

solution2
 1 ACCPTED  2016-03-24 16:38:25

I simply made a condition in applicationcontroller.rb like below and it worked out . The main idea is simply to override the functionality of Devise 

        if params[:controller] == "devise_token_auth/passwords" && params[:action] == "update"

              uri               = URI.parse(request.headers.env['HTTP_REFERER'])
              query_params      = CGI.parse(uri.query)
              email             = query_params['uid'].first
              user              = User.find_by_email(email)
              user.password     = params[:password]
              user.password_confirmation = params[:password_confirmation]

              if user.save
                    render json: {message: 'Password Updated successfully', status: 200}                        
              else
                    render json: {message: 'Password Could not changed , Please contact to support Team', status: 401}
              end
        end

Although it's not the proper solution but i couldn't think of anyother one . So please bear with me .In it we're fetching email from url

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Rails devise - error on update when resetting the password devise password update Devise update password Devise update password route Update password devise Cant update password with devise? Password update gives mass assignment error with Devise security extension devise Rails 5 security extension error using update_with_password Devise Password Reset Error Devise update user without password
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM