401 unauthorized

[milesmatthias]

I'm not using Angular.js, so the demo code isn't very helpful. On a very basic level, the idea is to post an email and password to sign_in and then send the access-token, uid, and client along with each successive call, right? Well I'm able to authenticate successfully, but when I make another call to a sample endpoint that uses before_filter :authenticate_user! , I always get a 401 unauthorized.

Here's my test code:

    jQuery.post("/api/v1/auth/sign_in", {
      email   : 'xxx',
      password: 'xxx'
    }, function(response, textStatus, xhr){
      sessionStorage.setItem("uid", xhr.getResponseHeader("uid"));
      sessionStorage.setItem("client", xhr.getResponseHeader("client"));
      sessionStorage.setItem("access-token", xhr.getResponseHeader("access-token"));

      jQuery.post("/api/v1/projects", {
        "uid"         : sessionStorage.getItem("uid"),
        "access-token": sessionStorage.getItem("access-token"),
        "client"      : sessionStorage.getItem("client")
      },function(response, textStatus, xhr) {
        debugger
      });
    });

api/projects_controller.rb:

class Api::ProjectsController < ApplicationController
  protect_from_forgery with: :null_session
  include DeviseTokenAuth::Concerns::SetUserByToken
  respond_to :json
  before_filter :authenticate_user!

  def index
    render json: {
      data: {
        message: "Welcome #{current_user.email}",
        user: current_user
      }
    }, status: 200
  end
end

I narrowed it down to valid_token? (https://github.com/lynndylanhurley/devise_token_auth/blob/master/app/controllers/devise_token_auth/concerns/set_user_by_token.rb#L40) always returning false, even though that user has several tokens.

What am I missing here? Thanks!

[lynndylanhurley]

Hi @milesmatthias - here are a few things to check:

• Are you sure that the user value on this line is correct?
• It looks like you're sending the auth data via POST, and index actions are usually GET. Is there maybe an issue with the routes?
• It looks like you're sending the auth credentials via the post body. Can you try setting them as request headers instead?

Also, I'll be releasing a jQuery version of ng-token-auth tomorrow or Friday. I'm not sure if you can wait until then, but that might be easier than building everything out from scratch.

[milesmatthias]

thanks for the response @lynndylanhurley.

I commented out the before_filter :authenticate_user! line and put a pry in my index method to verify a couple of things:

• The routes are correct
• The params are correct

also, the following works inside my pry:

[3] pry(#<Api::ProjectsController>)> user = User.find_by_uid(params["uid"])
=> (returns correct user object here...)
[4] pry(#<Api::ProjectsController>)> user.valid_token?(params["access-token"], params["client"])
=> true

and yet when I undo my above changes and run it like normally, I get:

Started POST "/api/v1/projects" for 127.0.0.1 at 2015-03-18 13:39:02 -0600
Processing by Api::ProjectsController#index as */*
  Parameters: {"uid"=>"4", "access-token"=>"xxxx", "client"=>"xxxx"}
Filter chain halted as :authenticate_user! rendered or redirected
Completed 401 Unauthorized in 1ms (Views: 0.2ms | ActiveRecord: 0.0ms)

So why is authenticate_user! failing? Maybe it's because I'm also running devise side by side? I thought by including DeviseTokenAuth::Concerns::SetUserByToken that I would be calling the correct authenticate_user!, but maybe I'm not?

[milesmatthias]

@lynndylanhurley any tips on this?

[lynndylanhurley]

@milesmatthias - have you tried sending the auth credentials as headers instead of post-body params?

Or can you at least check to see if there are any conflicting headers being sent? It will try to use the headers first, then the params if the headers aren't found.

Also, I finished the jQuery plugin today. I'll release it tomorrow as soon as I finish the demo site and documentation.

[milesmatthias]

@lynndylanhurley I just tried that and it's still not working.

[lynndylanhurley]

@milesmatthias - I've finished the jQuery version of ng-token-auth, but I haven't set the repo to public yet. Would you like to try it out? I can give you access to the repo if you like.

[milesmatthias]

@lynndylanhurley Sure, that would be cool.

[lynndylanhurley]

Alright I just pushed everything live:

https://github.com/lynndylanhurley/j-toker

To install:

# using bower:
bower install j-toker --save

# using npm:
npm install j-toker --save

[c0mrade]

@lynndylanhurley very creative 'MOTD' as usual :)

[milesmatthias]

Cool, thanks @lynndylanhurley. I'll check it out!

[milesmatthias]

@lynndylanhurley I tried your plugin and I'm getting the same results. I'm able to authenticate, but successive requests to any custom API endpoints fail. Here's a screenshot of the request headers sent to my /api/v1/projects endpoint:

https://s3.amazonaws.com/screenshots.equityeats.com/qerZy.png

[nicolas-besnard]

Your UID is null. Should be your email.

[milesmatthias]

I saw that too @nicolas-besnard. I think that means the j-token plugin has an issue in it?

[milesmatthias]

I updated the devise_token_auth gem from 0.1.29 to 0.1.30 and this is working now with the jQuery j-token plugin.