"Unpermitted parameter: session" issues when action_controller.action_on_unpermitted_parameters is :raise

[posiczko]

Hello,

Just started using devise_token_auth. Thank you for creating it.

The issue I ran into was that with a vanilla rails (4.2.6) app with:

• routes configured as:

  mount_devise_token_auth_for 'User', at: 'auth'

• user model with:

  # Include default devise modules.
  devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :trackable, :validatable,
          :omniauthable
  include DeviseTokenAuth::Concerns::User

• application controller with:

  protect_from_forgery with: :null_session, only: Proc.new { |c| c.request.format.json? }

  include DeviseTokenAuth::Concerns::SetUserByToken

The app would crash if the environment file had action pack configured to raise an exception due to unpermitted params:

curl -v -X POST  -H "Content-type: application/json" \
 127.0.0.1:3000/auth/sign_in -d '{"email": "[email protected]", "password": "fluffybunny"}'

  config.action_controller.action_on_unpermitted_parameters = :raise

The log in this case shows:

Started POST "/auth/sign_in" for 127.0.0.1 at 2016-07-11 17:41:27 -0600
  ActiveRecord::SchemaMigration Load (0.1ms)  SELECT "schema_migrations".* FROM "schema_migrations"
Processing by DeviseTokenAuth::SessionsController#create as JSON
  Parameters: {"email"=>"[email protected]", "password"=>"[FILTERED]", "session"=>{"email"=>"[email protected]", "password"=>"[FILTERED]"}}
Completed 500 Internal Server Error in 12ms (ActiveRecord: 0.0ms)

ActionController::UnpermittedParameters (found unpermitted parameter: session):
  actionpack (4.2.6) lib/action_controller/metal/strong_parameters.rb:497:in `unpermitted_parameters!'
  actionpack (4.2.6) lib/action_controller/metal/strong_parameters.rb:339:in `permit'
  devise_token_auth (0.1.38) app/controllers/devise_token_auth/sessions_controller.rb:144:in `resource_params'
  devise_token_auth (0.1.38) app/controllers/devise_token_auth/sessions_controller.rb:13:in `create'

When action_on_unpermitted_params setting was ommitted, everything works and I see:

Started POST "/auth/sign_in" for 127.0.0.1 at 2016-07-11 17:47:27 -0600
  ActiveRecord::SchemaMigration Load (0.1ms)  SELECT "schema_migrations".* FROM "schema_migrations"
Processing by DeviseTokenAuth::SessionsController#create as JSON
  Parameters: {"email"=>"[email protected]", "password"=>"[FILTERED]", "session"=>{"email"=>"[email protected]", "password"=>"[FILTERED]"}}
Unpermitted parameter: session
Unpermitted parameter: session
  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE (email = '[email protected]' AND provider='email')  ORDER BY "users"."id" ASC LIMIT 1
[...]

Haven't had a chance to offer a solution yet. 8-)

[KjellMorgenstern]

Rails can transform parameters depending on the request format.
It will transform {email: "hello", password: "secret"} to
{email: "hello", password: "secret", session: {email: "hello", password: "secret"}}
where "session" is derived from the controller name.

This is done by, and can be configured with ParamsWrapper
http://api.rubyonrails.org/classes/ActionController/ParamsWrapper.html
As I understand the doc, is also possible to configure this for individual controllers or even parameters.

In my config/initializers/wrap_parameters I changed
wrap_parameters format: [json]
to

ActiveSupport.on_load(:action_controller) do
  wrap_parameters format: []
end

I think this is not an devise_token_auth issue. But since devise token auth does not expect the wrapping, maybe it would help people from running into this by setting it explicitly by adding something like (not tested)

class SessionsController < ApplicationController
  wrap_parameters format: []
end

[CJYate]

@KjellMorgenstern I like this workaround. Thanks

[stephanebruckert]

I believe this can be closed. This is one final solution:

# config/routes.rb
Rails.application.routes.draw do
  # Token auth routes available at /api/v1/auth
  namespace :api do
    scope :v1 do
      mount_devise_token_auth_for "User", at: "auth",
        controllers: {
          sessions: 'api/v1/devise_token_auth/sessions'
        }
    end
  end
end

# app/controllers/api/v1/devise_token_auth/sessions_controller.rb
module Api
  module V1
    module DeviseTokenAuth
      class SessionsController < ::DeviseTokenAuth::SessionsController
        # Prevent session parameter from being passed
        # Unpermitted parameter: session
        wrap_parameters format: []
      end
    end
  end
end

Result:

Parameters: {"password"=>"[FILTERED]", "email"=>"[email protected]"}

[zachfeldman]

Closed

[artcoder87]

not solved for me with wrap_parameters format: [:json]

[sigmabbhushan]

thanks stephanebruckert, It works

[DumasOlivier]

thanks @stephanebruckert 🙏 👌