Unpermitted parameter errors

[CharlesJQuarra]

Hi,

I am using devise-token-auth gem on Rails 4.2, and I've added a field nickname to the User model. I am trying to implement this via an override of the gem controller placed at app/controllers/users/registration_controller.rb

class Users::RegistrationsController < DeviseTokenAuth::RegistrationsController

  before_filter :configure_permitted_parameters

  def update
    Rails.logger.info "in Users::RegistrationsController.rb update!"
    super
  end

  protected

  # my custom fields are :name, :heard_how
  def configure_permitted_parameters
    binding.pry
    devise_parameter_sanitizer.for(:sign_up) do |u|
      binding.pry
      u.permit(:name, :nickname,
        :email, :password, :password_confirmation)
    end
    devise_parameter_sanitizer.for(:account_update) do |u|
      binding.pry
      Rails.logger.info "in Users::RegistrationsController.rb configure_permitted_parameters!"
      u.permit(:name,
        :email, :password, :password_confirmation, :nickname)
    end
  end
end

the routes are configured like this:

Rails.application.routes.draw do
    namespace :api, constraints: { format: 'json' } do
        mount_devise_token_auth_for 'User', at: 'auth', controllers: {
          registrations:  'users/registrations'
        }
    end
  end

and they seem right:

PATCH  /api/auth(.:format)                    users/registrations#update {:format=>"json"}
PUT    /api/auth(.:format)                    users/registrations#update {:format=>"json"}

When i hit a sign_in request

Then I try to place the update request via curl:

curl -X PUT --dump-header headers_update -H "Access-Token: 2FHhLQFtIgDfSqsTaaCH_g" -H "Uid: [email protected]" -H "Client: -RUtwnCfgqvqwDjYPtajQA" -H "Token-Type: Bearer" -H "Expiry: 1447713314" http://api.local.dev:3000/api/auth -d "{ \"nickname\":\"somestuff\"}"

But the update call never gets to runs. This is what shows the server after the request:

I, [2015-11-02T18:05:38.131091 #7940]  INFO -- : Started PUT "/api/auth" for 127.0.0.1 at 2015-11-02 18:05:38 -0500
I, [2015-11-02T18:05:38.131222 #7940]  INFO -- : Started PUT "/api/auth" for 127.0.0.1 at 2015-11-02 18:05:38 -0500
I, [2015-11-02T18:05:38.147209 #7940]  INFO -- : Processing by Users::RegistrationsController#update as */*
I, [2015-11-02T18:05:38.147383 #7940]  INFO -- : Processing by Users::RegistrationsController#update as */*
I, [2015-11-02T18:05:38.147490 #7940]  INFO -- :   Parameters: {"{ \"nickname\":\"somestuff\"}"=>nil}
I, [2015-11-02T18:05:38.147571 #7940]  INFO -- :   Parameters: {"{ \"nickname\":\"somestuff\"}"=>nil}
D, [2015-11-02T18:05:38.152778 #7940] DEBUG -- :   User Load (0.7ms)  SELECT  "users".* FROM "users" WHERE "users"."uid" = $1 LIMIT 1  [["uid", "[email protected]"]]
D, [2015-11-02T18:05:38.152934 #7940] DEBUG -- :   User Load (0.7ms)  SELECT  "users".* FROM "users" WHERE "users"."uid" = $1 LIMIT 1  [["uid", "[email protected]"]]
D, [2015-11-02T18:05:38.224790 #7940] DEBUG -- : Unpermitted parameter: { "nickname":"somestuff"}
D, [2015-11-02T18:05:38.225023 #7940] DEBUG -- : Unpermitted parameter: { "nickname":"somestuff"}
I, [2015-11-02T18:05:38.237415 #7940]  INFO -- : Filter chain halted as :validate_account_update_params rendered or redirected
I, [2015-11-02T18:05:38.237565 #7940]  INFO -- : Filter chain halted as :validate_account_update_params rendered or redirected
I, [2015-11-02T18:05:38.237741 #7940]  INFO -- : Completed 422 Unprocessable Entity in 90ms (Views: 0.3ms | ActiveRecord: 0.7ms)
I, [2015-11-02T18:05:38.237860 #7940]  INFO -- : Completed 422 Unprocessable Entity in 90ms (Views: 0.3ms | ActiveRecord: 0.7ms)

and the json reply to curl is:

{"status":"error","errors":["Please submit proper account update data in request"]}

Just to troubleshoot the issue, I added the strong parameter sanitizers to the Application Controller as well:

class ApplicationController < ActionController::API

    before_filter :configure_permitted_parameters, if: :devise_controller?

    protected

    def configure_permitted_parameters
      binding.pry
      Rails.logger.info "in ApplicationController.rb configure_permitted_parameters!"
      devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:email, :password, :password_confirmation, :nickname) } 
    end

    rescue_from Exception do |e|
        render json: e.to_json, status: 500
    end
end

But the binding.pry inside the configure_permitted_parameters do not stop execution during the update request, which makes me presume that the issue is that the routes look right, but they really aren't

For reference, here is my Gemfile

source 'https://rubygems.org'


gem 'rails', '4.2.1'

gem 'rails-api'

gem 'pg'
gem 'activerecord-postgis-adapter'
gem 'rgeo'
gem 'devise'
gem 'devise_token_auth', ">= 0.1.32.beta9" # Token based authentication for Rails JSON APIs
gem 'omniauth' # required for devise_token_auth

group :development, :test do
    gem 'pry-byebug', '=1.3.3'
    gem 'pry-stack_explorer'
    gem 'pry-rails'
    gem 'pry-remote'

  # Access an IRB console on exception pages or by using <%= console %> in views
  gem 'web-console', '~> 2.0'

  # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
  gem 'spring'

  gem "rspec-rails", "~> 3.3"
end

group :test do

  #gem "shoulda-matchers"
  gem "factory_girl_rails"
  gem 'ffaker'
end

[CharlesJQuarra]

any suggestions about how to debug this beast?

[kiddrew]

Did you ever find a solution to this? I'm hitting the same error.

[kiddrew]

I found a solution. The issue for me was that the before_filter calls were happening out of order, so the parent filters were being called before the child. Changing the call fixed it for me.

prepend_before_filter :configure_permitted_parameters

[zachfeldman]

Sounds like we have an accepted solution here, closing for now.

[mohd-anas-ansari]

prepend_before_filter :configure_permitted_parameters

Note: Its prepend_before_action :configure_permitted_parameters now.