search

nejdetkadir / devise-api

The devise-api gem is a convenient way to add authentication to your Ruby on Rails application using the devise gem. It provides support for access tokens and refresh tokens, which allow you to authenticate API requests and keep the user's session active for a longer period of time on the client side
MIT License
152 stars 22 forks source link

Unpermitted parameter: :token #8

Closed NfoCipher closed 2 months ago

NfoCipher commented 1 year ago

When issuing the example curl call: curl --location --request POST 'http://127.0.0.1:3000/users/tokens/sign_up' --header 'Content-Type: application/json' --data-raw '{ "email": "test2@development.com", "password": "123456" }' I do get a response of: {"token":"xmRbTRpBxbCkyN9Rgzs6_usJTb_wFnB7qL36fioh5bTLa8XAQTwca-12vz3P","refresh_token":"eigFtc3nPqTR41KJh7ktRiCtVqsM6n4izBx6yzNzqKjURyZ9vqz7McRbunSf","expires_in":3600,"token_type":"Bearer","resource_owner":{"id":2,"email":"test2@development.com","created_at":"2023-02-24T22:12:38.043Z","updated_at":"2023-02-24T22:12:38.043Z"}}

But, the rails logs contain: Processing by Devise::Api::TokensController#sign_up as */* Parameters: {"email"=>"test2@development.com", "password"=>"[FILTERED]", "token"=>{}} Unpermitted parameter: :token. Context: { controller: Devise::Api::TokensController, action: sign_up, request: #<ActionDispatch::Request:0x000000010ed12950>, params: {"email"=>"test2@development.com", "password"=>"[FILTERED]", "controller"=>"devise/api/tokens", "action"=>"sign_up", "token"=>{}} } Unpermitted parameter: :token. Context: { controller: Devise::Api::TokensController, action: sign_up, request: #<ActionDispatch::Request:0x000000010ed12950>, params: {"email"=>"test2@development.com", "password"=>"[FILTERED]", "controller"=>"devise/api/tokens", "action"=>"sign_up", "token"=>{}} }

Any ideas?

1gn0r4nd commented 1 year ago

I think the rails log is from a different curl command. the rails log looks like a request with parameter --data-raw '{ "email": "test2@development.com", "password": "123456"m "token": "{}" }'. You don't need a token to sign up AFAIK, but if you wish to add it, perhaps add it in the function sign_up_params in the subclass of Devise::Api::TokensController

NfoCipher commented 1 year ago

That's the correct curl command. And most likely part of the issue.

nejdetkadir commented 1 year ago

Hello @NfoCipher , I think @1gn0r4nd is right, could you check your request and logs?

NfoCipher commented 1 year ago

Here's the test project: https://github.com/Deanout/devise_api You should get the same error from that.

vergil-zhao commented 1 year ago

I met the same problem. The request body doesn't have a token field, but the log still showed Unpermitted parameter: :token.

dafal commented 1 year ago

Same here:

Unpermitted parameter: :token. Context: { controller: Devise::Api::TokensController, action: sign_in, request: #<ActionDispatch::Request:0x0000ffff85276c28>, params: {"email"=>"user1@example.com", "password"=>"[FILTERED]", "controller"=>"devise/api/tokens", "action"=>"sign_in", "token"=>{}} }

TruAmbition commented 1 year ago

I too am experiencing something, similar.

Sending this logic directly from Postman for troubleshooting:

var axios = require('axios');
var data = JSON.stringify({
  "email": "truman@example.com",
  "password": "password"
});

var config = {
  method: 'post',
  url: 'http://127.0.0.1:3000/users/tokens/sign_in',
  headers: { 
    'Content-Type': 'application/json'
  },
  data : data
};

axios(config)
.then(function (response) {
  console.log(JSON.stringify(response.data));
})
.catch(function (error) {
  console.log(error);
});

Rails Log:

Processing by Devise::Api::TokensController#sign_in as HTML
  Parameters: {"email"=>"truman@morphxr.io", "password"=>"[FILTERED]", "token"=>{}}
Unpermitted parameter: :token. Context: { controller: Devise::Api::TokensController, action: sign_in, request: #<ActionDispatch::Request:0x0000000105d760f8>, params: {"email"=>"truman@morphxr.io", "password"=>"[FILTERED]", "controller"=>"devise/api/tokens", "action"=>"sign_in", "token"=>{}} }

Login is successful, but Rails logs show the message above

ericksvdrah commented 10 months ago

I too am experiencing something, similar.

Started POST "/users/tokens/sign_in" for 127.0.0.1 at 2023-10-09 15:38:38 -0500 Processing by Devise::Api::TokensController#sign_in as / Parameters: {"email"=>"admin@mail.com", "password"=>"[FILTERED]", "token"=>{}} Unpermitted parameter: :token. Context: { controller: Devise::Api::TokensController, action: sign_in, request: #, params: {"email"=>"admin@mail.com", "password"=>"[FILTERED]", "controller"=>"devise/api/tokens", "action"=>"sign_in", "token"=>{}} } Unpermitted parameter: :token. Context: { controller: Devise::Api::TokensController, action: sign_in, request: #, params: {"email"=>"admin@mail.com", "password"=>"[FILTERED]", "controller"=>"devise/api/tokens", "action"=>"sign_in", "token"=>{}} }

I can get a successful start but i have this message in the rails log

wandenberg commented 7 months ago

I had the same problem. Temporarily solved by running the below code on the app initialization. Would be good to have the Devise::Api::TokensController calling the wrap_parameters false on it to avoid this more drastic solution.

ActiveSupport.on_load(:action_controller) do
  wrap_parameters false
end
mattschwartznomad commented 5 months ago

Has anyone found a solution to this that is less application-wide than the one above. This is still a problem.

k-p-jones commented 2 months ago

PR open with a fix for the above issue.

nejdetkadir commented 2 months ago

completed with #42 thank u @k-p-jones