search

lynndylanhurley / devise_token_auth

Token based authentication for Rails JSON APIs. Designed to work with jToker and ng-token-auth.
Do What The F*ck You Want To Public License
3.52k stars 1.14k forks source link

Devise and Devise_token_auth together. Routing not working #1319

Open AlbertMontolio opened 4 years ago

AlbertMontolio commented 4 years ago

When posting issues, please include the following information to speed up the troubleshooting process:

I am using 

devise (4.6.2)    
devise_token_auth (1.1.0)
Started GET "/auth/sign_in" for ::1 at 2019-07-23 15:48:27 +0200
Processing by DeviseTokenAuth::SessionsController#new as HTML
Filter chain halted as :authenticate_user! rendered or redirected
Completed 401 Unauthorized in 6ms (Views: 0.9ms | ActiveRecord: 0.0ms)

I have a Rails application with an API inside. I can make calls and authenticate with the access-token from the gem devise_auth.

I wanted to add now authentication for web requests. I decided to create two application_controllers to handle the two types of request, web and api.

The two controllers look like this:

    class ApplicationController < ActionController::Base
      protect_from_forgery with: :exception
      before_action :authenticate_user!
    end

And for api:

    class ApiApplicationController < ActionController::Base
      skip_before_action :verify_authenticity_token
      include DeviseTokenAuth::Concerns::SetUserByToken
    end

The routes look like this:

    Rails.application.routes.draw do
      devise_for :users, as: 'web'

      mount_devise_token_auth_for 'User', at: 'auth'
      root to: 'pages#home'
      # For details on the DSL available within this file, see http://guides.rubyonrails.org/routing.html
      namespace :api, defaults: { format: :json } do
        namespace :v1 do
          resources :trainings, only: [ :index, :show, :create ]
          post 'import', to: "trainings#import"
        end
      end

      namespace :admin do
        resources :trainings, only: [:index]
        resources :users, only: [:index, :show]
      end
    end

I just added the web prefix to avoid collision with same rails_path.

The controller that I want to access is the admin/users, and it inherites from ApplicationController:

    class Admin::UsersController < ApplicationController
      before_action :authenticate_user!

When I type in the browser:

http://localhost:3000/admin/users

I expect to see the normal devise behaviour, which is, seeing the login form in the web.

Unfortunately, the request is received by the AuthTokenController:

    Started GET "/auth/sign_in" for ::1 at 2019-07-23 15:37:46 +0200
    Processing by DeviseTokenAuth::SessionsController#new as HTML
    Filter chain halted as :authenticate_user! rendered or redirected
    Completed 401 Unauthorized in 1ms (Views: 0.3ms | ActiveRecord: 0.0ms)

I split up the controller for the web and for api, so that I can play with the protect_from_forgery method etc.

But I don't know how to tell Rails in the Routes, that whenever I do a web request, that it authenticates through the right controller.

To sum up, I am hitting following url:

http://localhost:3000/admin/users

Which corresponds to this controller:


    admin_users GET      /admin/users(.:format)  admin/users#index

This controller inherits from 


    class Admin::UsersController < ApplicationController
      before_action :authenticate_user!

And this ApplicationController uses:

class ApplicationController < ActionController::Base
      protect_from_forgery with: :exception
      before_action :authenticate_user!
    end

At no moment I am telling to this request anything about the DeviseAuthToken. I don't know why it takes the request.

My User model is as follows:

    # frozen_string_literal: true

    class User < ActiveRecord::Base
      has_many :trainings

      extend Devise::Models
      # Include default devise modules. Others available are:
      # :confirmable, :lockable, :timeoutable and :omniauthable
      devise :database_authenticatable, :registerable,
             :recoverable, :rememberable, :trackable, :validatable
      include DeviseTokenAuth::Concerns::User
    end
ughstudios commented 4 years ago

@AlbertMontolio did you ever get this working?