I just have a huge number of questions ... But before that you need to describe what is actually happening.

Preamble

I'm trying to teach Angular2 to log in to the Rails 5 beta 3 application. With this, Rails runs in API mode. As I understand it, in order for Devise to work in API mode, you need a gem devise_token_auth . Heme I installed and configured, but after that the problems started:

Unpermitted parameters: user, session

The first thing I tried to do after setting up, send a simple POST request and see what happens. And the following happened:

 Processing by DeviseTokenAuth::SessionsController#create as *json* Parameters: {"user"=>{"username"=>"demo", "password"=>"[FILTERED]"}, "session"=>{"user"=>{"username"=>"demo", "password"=>"[FILTERED]"}}} Unpermitted parameters: user, session Rendered devise_token_auth/sessions/create.json (0.2ms) Completed 401 Unauthorized in 18ms (Views: 3.2ms | ActiveRecord: 0.0ms)

And from now on, I don’t understand a bit, since when should I prescribe the permit for the parameters that ActionController::ParamsWrapper dynamically creates as a wrapper? Moreover:

 devise_parameter_sanitizer.permit(:sign_in) do |user_params| user_params.permit(:user, :session) end

does not change anything. Has anyone encountered this before?

Authentication header

Having rummaged in the documentation in search of a solution to the problem, I found another:

Header of each request. The headers follow the RFC 6750 Bearer Token format

Those. The request header should contain the following data:

 "access-token": "wwwww", "token-type": "Bearer", "client": "xxxxx", "expiry": "yyyyy", "uid": "zzzzz"

In AngularJS, they were generated by the ng-token-auth module, but how do I generate them using Angular2, which does not have this module?

Summing up the interim result (because I feel, after these problems I stumble upon even more of them), here is a list of my questions:

  • How to fix unpermitted parameters: user, session in devise_token_auth ?
  • How to generate access-token ?
  • How to calculate expiry and is there a "rails-way" for the token lifetime?
  • What should I write in the client ? Since this identifier allows the user to simultaneously log in from multiple devices, what should he look like? What should be written there?
  • What data should be returned to the client after authorization (besides 200 )?
  • What other pitfalls can wait for me when I try to log in through the Rails API?

UPD

Here is the request that I send:

 private _user_session_url = 'auth/sign_in'; login (username: string, password: string) : Observable<User> { let body = JSON.stringify({ username: username, password: password }); // TODO: generate header data. let headers = new Headers({ 'Content-Type': 'application/json', 'accept': 'json' }); let options = new RequestOptions({ headers: headers}); return this.http.post(this._user_session_url, body, options) .map((data: any) => data.json()) .catch(this.handleError) }

As you can see, the session in the request body is not. It is created by ActionController :: ParamsWrapper

In confirmation, I quote Request Payload:

 {"username":"demo","password":"123"}

    1 answer 1

    According to the devise_token_auth (DTA) brief documentation, POST /sign_in only accepts email and password right at the root . That is, the parameters should look like this:

     { "email": "foo@example.com", "password": "bar" }

    No nesting. No need to further customize the sanitizer and invent unnecessary keys.

    And now the answer to all remaining questions at once :

    Token-Type , Access-Token , Client and Expiry .

    In AngularJS, they were generated by the ng-token-auth module.

    No, they are generated by the server , the client doesn’t do anything clever. They are stored in the database (in a partially distorted, but verifiable form, like passwords), and they are exchanged using headers . /sign_in returns all headers of interest. You will simply pass all these values ​​back and forth (and update, because by default, after each individual request, the token changes).

    In addition, perhaps, Expiry , the value of which can be monitored, "when the token falls off and requires updating", which can be used to drop it on the entry form.

    You can use DTA without ng-token-auth , but before you do that, you should read the documentation for the methods used.

    I used this gem before and do not recommend it for cases where the customizability of data received and sent by this system is important, because the extensibility of heme is close to zero.

    • Can you suggest any alternatives to this gem? - Viktor
    • @ Victor afraid not. If he is interested only in authentication, he will not cause major problems, but if he is also interested in requests with answers of a certain form (in accordance with a certain specification, for example), then making this gem comply with this form is pain . But it is rarely necessary. - D-side
    • Thank. I do not need anything other than authentication at this stage. Changing the request body fixed Unpermitted parameter: user , but the Unpermitted parameter: session still hangs, and also when trying to authorize, 401 still returns - Viktor
    • @ Victor, so why are you sending this parameter, where is it in the documentation? Only email and password , there is no user . - D-side
    • I understood my mistake and deleted the user . But the session is not created by me (see UPD) and because of it the Unpermitted parameter: session appears Unpermitted parameter: session - Viktor