12

Sign-in works fine on Chrome, but doesn't work on Safari (or I assume other Webkit browsers). I get this error message after you sign in ("The change you wanted was rejected. Maybe you tried to change something you didn't have access to."):

The change you wanted was rejected. Maybe you tried to change something you didn't have access to.

According to my heroku logs, this is what's happening:

2016-12-07T14:14:23.778153+00:00 app[web.1]: Can't verify CSRF token authenticity
2016-12-07T14:14:23.778899+00:00 app[web.1]: Completed 422 Unprocessable Entity in 2ms (ActiveRecord: 0.0ms)
2016-12-07T14:14:23.785544+00:00 app[web.1]:
2016-12-07T14:14:23.785547+00:00 app[web.1]: ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

I believe i'm sending the proper CSRF token, but something seems to be malfunctioning. This is my current application_controller.rb:

class ApplicationController < ActionController::Base


  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :exception

  after_action :flash_to_headers

  # this is so that json requests don't redirect without a user
  before_action :authenticate_user!
  # before_action :authenticate_user!, unless: request.format == :json
  # before_action :user_needed, if: request.format == :json

  before_action :set_paper_trail_whodunnit
  before_action :set_global_search_variable


  def set_global_search_variable
    @q = Person.ransack(params[:q])
  end

  def user_needed
    unless current_user
      render json: { 'error' => 'authentication error' }, status: 401
    end
  end



  def flash_to_headers
    return unless request.xhr?
    response.headers['X-Message'] = flash_message if flash_message
    response.headers['X-Message-Type'] = flash_type.to_s if flash_type
    flash.discard # don't want the flash to appear when you reload page
  end

  private

    def flash_message
      [:error, :warning, :notice].each do |type|
        return flash[type] unless flash[type].blank?
      end
      nil
    end

    def flash_type
      [:error, :warning, :notice].each do |type|
        return type unless flash[type].blank?
      end
      nil
    end

(Changing protect_from_forgery with: to null_session just causes an endless loop of returning to the login screen.)

This question references a similar problem, but doesn't discuss the complication of Devise. Supposedly Devise handles this issue already, but it somehow isn't working here. Many of these answers are years old, so i'm not sure how relevant they would be today.

I've also tried searching for bugs in the actual Devise Github repo, but I don't seem to be getting anywhere with the suggestions in those threads. Lots of suggestions to edit the application controller, but many times that seems to crash the entire app.

This app runs Ruby 2.2.5 and Rails 4.2.7.1. Would updating to Rails 5 help solve this issue?

It also has an existing (and probably hacky) override for making admin accounts; the person signs up through Devise and then is given admin access through another field called approved manually in the pqsl shell. I'm not sure if that could be related.

The app is on Github, for anyone who wants to take a look: https://github.com/yamilethmedina/kimball

Community
  • 1
  • 1
Yami Medina
  • 670
  • 10
  • 26
  • How looks the method for "before_action :authenticate_user!" – Alexander Luna Dec 16 '16 at 02:20
  • @AlexanderLuna Where would I find that method? That part of the application controller is the only instance of `before_action :authenticate_user!`, although there are several `skip_before_action :authenticate_user!` instances in the project. – Yami Medina Dec 16 '16 at 02:52
  • I can't tell you where it is. You will have to know since you put it in there. The reason I ask is because it is called every time before your controller even gets a request. – Alexander Luna Dec 16 '16 at 03:01
  • I understand. I didn't create this project from scratch myself so i'm not sure where it is, although this project does use Devise for user sign-up and authentication. I'm having trouble finding an example on Google. [This](http://stackoverflow.com/questions/9272272/where-is-devise-implementation-of-authenticate-user-method) appears to reference an older version because I don't have a `devise` subfolder inside `lib` and no `helpers.rb` file. – Yami Medina Dec 16 '16 at 03:11
  • I had a same issue with CSRF token on safari. Had disabled cookies in my browser.. Are u sure that Safari is accepting cookies from ur app? – liborza Dec 16 '16 at 19:41
  • @LiborZahrádka are cookies turned off in Safari by default? I'll check to see if mine were off. A second person has reported this issue on their computer on the Heroku deployment, but theirs might be off too. – Yami Medina Dec 16 '16 at 20:09

2 Answers2

8

As it turns out, my problem was solved by this answer. It wasn't in the application controller after all, but in config/initializers/session_store.rb.

This was my initial session_store:

Logan::Application.config.session_store :cookie_store, key: '_cutgroup_session', secure: (Rails.env.production? || Rails.env.staging?)

Upon doing further research, I found this suggestion:

Rails.application.config.session_store :cookie_store, key: "_rails_session_#{Rails.env}", domain: all

This still didn't work; however, it would give a 401 error in the logs (instead of 422) and redirect back to the login page as opposed to showing the error screen I screenshotted above.

Finally, I removed the domain: all part from the end of Rails.application.config.session_store :cookie_store, key: "_rails_session_#{Rails.env}" worked for me on Safari (cookies weren't blocked at any point from the browser). Now, i'm able to log in when the project is deployed on Heroku.

The bounty was a heavy price to pay, but at least the commenters helped me clarify my thinking and find a solution! If someone else comes across this question and comes up with a better one, i'll upvote it instead, but I think i've got it now.

Community
  • 1
  • 1
Yami Medina
  • 670
  • 10
  • 26
  • This part of it resolves a related issue for me: `key: "_rails_session_#{Rails.env}"`. By setting the key to a different name for development and production it means that I can actually use the same browser for both environments on my machine without weird errors. – Phil Jan 25 '18 at 09:54
1

try :

controller/application.rb

protect_from_forgery with: :null_session

and override you Device controller

sessions_controller.rb

class Users::SessionsController < Devise::SessionsController
skip_before_filter :verify_authenticity_token, :only => [:destroy]
end
vipin
  • 2,374
  • 1
  • 19
  • 36
  • Thanks for answering! However, I've heard that changing that setting in the application controller to `:null_session` is ill-advised because it'll allow for forgeries and override the protection. It also didn't work for me (albeit without overriding the Devise controller as specified here) – Yami Medina Dec 21 '16 at 00:05