Rails - Unpermitted parameters

[m2omou]

Hi, I'm trying to use ng-token-auth with devise_token_auth gem.

I got a problem when trying to register with angulajs. I got these two line:

Unpermitted parameters: confirm_success_url, config_name, registration
Unpermitted parameters: confirm_success_url, config_name, registration

Any idea ?

This is the logs :

Started POST "/auth" for 127.0.0.1 at 2014-10-15 14:17:57 +0200
Processing by DeviseTokenAuth::RegistrationsController#create as HTML
Parameters: {"email"=>"[email protected]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "confirm_success_url"=>"http://localhost:3000/", "config_name"=>"default", "registration"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "confirm_success_url"=>"http://localhost:3000/", "config_name"=>"default"}}
Unpermitted parameters: confirm_success_url, config_name, registration
Unpermitted parameters: confirm_success_url, config_name, registration
(0.1ms) begin transaction
(0.3ms) SELECT COUNT(*) FROM "users" WHERE "users"."provider" = 'email' AND "users"."email" = '[email protected]'
User Exists (0.3ms) SELECT 1 AS one FROM "users" WHERE LOWER("users"."email") = LOWER('[email protected]') LIMIT 1
(0.1ms) rollback transaction
Completed 403 Forbidden in 309ms (Views: 1.3ms | ActiveRecord: 6.4ms)

Thanks for your work.

[lynndylanhurley]

Hi @m2omou, the "unpermitted parameters" message is expected, and it's harmless. Is everything else working ok?

[m2omou]

Oh ok ! :) No that doesn't work, as you can see in my logs I got a:

rollback transaction
Completed 403 Forbidden

So the registration fail, the user is not created in the database. Any idea ?

[m2omou]

Maybe this has something to do with the fact that I recently moved from Rails 3 to Rails 4 ?

Or Maybe OmniAuth or Devise gem not well configured ?

[m2omou]

Ok found my error ! -_-'

"errors": [
"Missing confirm_success_url param."
]

Because I used the template registration in the doc, and apparently "confirm_success_url" wan't included.

Got it now, thanks @lynndylanhurley, again great job.

[lynndylanhurley]

@m2omou - cool, I'm glad everything worked out.

The confirm_success_url param should default to the browsers current location - that's strange that it wasn't sent. Can you post the code that you were using for registration?

[m2omou]

This is the registration form that I use, I took it from the doc example. And I'm using chrome.

<form ng-submit="submitRegistration(registrationForm)" role="form" ng-init="registrationForm = {}">
  <div class="form-group">
    <label>email</label>
    <input type="email" name="email" ng-model="registrationForm.email" required="required" class="form-control"/>
  </div>

  <div class="form-group">
    <label>password</label>
    <input type="password" name="password" ng-model="registrationForm.password" required="required" class="form-control"/>
  </div>

  <div class="form-group">
    <label>password confirmation</label>
    <input type="password" name="password_confirmation" ng-model="registrationForm.password_confirmation" required="required" class="form-control"/>
  </div>

  <button type="submit" class="btn btn-primary btn-lg">Register</button>
</form>

[m2omou]

Yes you're right, confirm_success_url is sent by default by the browser. I've done the manipulation again and now it works, weird.. haha

However, when I send the parameter "nickname", the user is created but nickname is null ? Can I modify the controller in order to accept nickname in the registration ?

Unpermitted parameters: confirm_success_url, nickname

[lynndylanhurley]

@m2omou - see the Devise section on strong params. This gem inherits that functionality.

[callmeahab]

I'm experiencing the same issue, and haven't been able to resolve it, I'm unclear as to what the solution here is.
I tried configuring ApplicationController to allow these parameters like described in devise docs, but that didn't resolve anything.

[lynndylanhurley]

@milos89 - can you explain your issue exactly? Please include:

• version of ng token auth module
• version of devise token auth gem
• body of the request to API
• status code of the response from the API
• body of the response from the API

[callmeahab]

Okay. The issue is exactly the same as @m2omou had.

This is server output:

Started POST "/api/auth" for ::1 at 2015-01-13 18:40:01 +0100
Processing by DeviseTokenAuth::RegistrationsController#create as HTML
  Parameters: {"email"=>"[email protected]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "confirm_success_url"=>"http://localhost:3000/#/register", "config_name"=>"default", "registration"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "confirm_success_url"=>"http://localhost:3000/#/register", "config_name"=>"default"}}
Can't verify CSRF token authenticity
Unpermitted parameters: confirm_success_url, config_name, registration
Unpermitted parameters: confirm_success_url, config_name, registration
   (0.3ms)  BEGIN
   (0.3ms)  SELECT COUNT(*) FROM "users" WHERE "users"."provider" = $1 AND "users"."email" = $2  [["provider", "email"], ["email", "[email protected]"]]
   (0.3ms)  ROLLBACK
Completed 403 Forbidden in 121ms (Views: 0.4ms | ActiveRecord: 2.8ms)

This is registration form:

  <form ng-submit="registerUser()">
    <div class="form-group col-md-6 col-md-offset-3">
      <label for="keywords" class="sr-only">Email</label>
      <input ng-model="user.email" type="text" autofocus class="form-control" required="required" placeholder="[email protected]">
    </div>
    <div class="form-group col-md-6 col-md-offset-3">
      <label for="keywords" class="sr-only">Password</label>
      <input ng-model="user.password" type="password" class="form-control" required="required" placeholder="Password">
    </div>
    <div class="form-group col-md-6 col-md-offset-3">
      <label for="keywords" class="sr-only">Password Confirmation</label>
      <input ng-model="user.password_confirmation" type="password" class="form-control" required="required" placeholder="Password Confirmation">
    </div>
    <div class="form-group col-md-6 col-md-offset-3 text-center">
      <button type="submit" class="btn btn-primary btn-lg">Register</button>
    </div>
  </form>

I'm using rails 4.2, and newest versions of ng-token-auth, devise-token-auth and angular (just installed them using bower).

Thanks.

[callmeahab]

I think I have probably messed up configuration on the server side, but this issue seemed to look the most to mine, and @m2mout seems to have resolved it.

[lynndylanhurley]

This could be the problem: Can't verify CSRF token authenticity

Try setting protect_from_forgery to :null_session, like this:

class ApplicationController < ActionController::Base
  protect_from_forgery with: :null_session
  include DeviseTokenAuth::Concerns::SetUserByToken
  # ...
end

[callmeahab]

Didn't work. Don't have time to work this out today, but thanks for the help and the great work you have done on this plugin. Will post here if I resolve my issue.

[lynndylanhurley]

@milos89 - please provide the following:

• body of the request to API
• body of the response from the API

These can be found in the network tab of your browser's web inspector.

[callmeahab]

Found what was wrong. Turns out my password was too short. I must have missed that in the console.

Sorry for reopening this issue for my stupidity, and thanks a lot.

[vikashvikram]

Hi,
I am trying to create(signup) a user from curl by making a post request. I am getting the same error i.e.
"errors": [
"Missing confirm_success_url param."
]

Since I am not using a browser, I don't see how that can be set. Could you please tell me how to signup a user from curl request. Since the front end of my application is not rails, I cannot use views of devise and have to resolve to provide apis for all the user management related requests.

Thanks.

[callmeahab]

Did you try passing any value as confirm_success_url?

[jfields]

This worked for me:
curl http://localhost:3000/api/v1/auth --data "email=[email protected]&password=testtest&password_confirmation=testtest&confirm_success_url=foo

[vikashvikram]

Thanks guys for quick response. I tried using confirm_success_url as part of my post request data along with email, password and password_confirmation. also I added it to devise_parameter_sanitizer for sign up. I got following error:

Started POST "/auth" for 10.0.2.2 at 2015-03-23 07:11:47 +0000
Cannot render console from 10.0.2.2! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255
Processing by DeviseTokenAuth::RegistrationsController#create as /
Parameters: {"email"=>"[email protected]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "confirm_success_url"=>"foo"}
Completed 500 Internal Server Error in 89ms

NameError (undefined local variable or method `confirm_success_url=' for #User:0x00000002899c00):

I have tried using curl request format mentioned above by @jfields and postman chrome extension

[vikashvikram]

Finally got it working. Here is what I did:

1. removed confirmable from User model
2. removed confirm_success_url from deserializer block in application controller.
3. removed confirm_success_url from post request as well.
   It started working.
   Thanks @jfields @callmeahab

[boyfunky]

having the same issue here as well. since unpermitted parameters aint the problem. can someone help me out with how to solve this?

Started POST "/api/auth" for 127.0.0.1 at 2015-04-14 21:47:05 +0800
Processing by DeviseTokenAuth::RegistrationsController#create as HTML
Parameters: {"email"=>"[email protected]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "confirm_success_url"=>"http://localhost:9006/#/sign_up", "config_name"=>"default", "registration"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "confirm_success_url"=>"http://localhost:9006/#/sign_up", "config_name"=>"default"}}
Unpermitted parameters: confirm_success_url, config_name, registration
WARNING: Can't mass-assign protected attributes for User: email, password, password_confirmation

Unpermitted parameters: confirm_success_url, config_name, registration
(0.2ms) BEGIN
(0.4ms) SELECT COUNT(*) FROM users WHERE users.provider = 'email' AND users.email IS NULL
(0.1ms) ROLLBACK
Completed 403 Forbidden in 15ms (Views: 0.8ms | ActiveRecord: 0.7ms)

my routes.rb
namespace :api do
mount_devise_token_auth_for 'User', at: 'auth'
end

my usersessions.js

$scope.handleRegBtnClick = function() {
console.log("im here now")
$auth.submitRegistration($scope.registrationForm).then(function(resp) {
console.log($scope.registrationForm)
$auth.submitLogin({
email: $scope.registrationForm.email,
password: $scope.registrationForm.password
});
});
};

[HayleyCAnderson]

@boyfunky
In case you're still working on this, you need to stop passing this piece:
"registration"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "confirm_success_url"=>"http://localhost:9006/#/sign_up", "config_name"=>"default"}
And make sure that any passwords you try to pass in are at least 8 characters.

[ericgaut]

@vikashvikram
I believe I am having the same issues with creating a user via POST. I also receive the "Missing confirm_success_url param". And when I add "confirm_success_url" to the devise_parameter_sanitizer that error disappears and I get "unknown attribute 'confirm_success_url' for User. So I think I'm at mostly the same place you were at.

I just don't understand how to go about step 2 of your last post listing 3 steps that fixed the problem for you. Could you explain how to go about "2) removed confirm_success_url from deserializer block in application controller"? Do you mean removing it from the devise_parameter_sanitizer?

Thanks.

[ericgaut]

Ok. I updated the gem to -

gem "devise_token_auth", ">= 0.1.32.beta9"

and success...

I can get registration working and an email confirmation sent... if in devise_token_auth.rb I set -

   config.default_confirm_success_url = "confirmed"

However - including confirm_success_url as a parameter in the POST throws the same error as always - "unknown attribute 'confirm_success_url" and a "Completed 500 Internal Server Error" in the development.log.

I guess I will just have to stick to this setup.

[howtwizer]

I had same issue as @ericgaut . After checking this on clear application (it worked like need), I understood that problem in my application behavior. In the end problem was in custom errors interrupter on application controller level. It broken standard Rails behavior, and cause this errors. I can be something like this:

ActionController::Parameters.action_on_unpermitted_parameters = :raise

  # Showing errors about unknown params
  rescue_from(ActionController::UnpermittedParameters) do |pme|
    render json: { error:  { unknown_parameters: pme.params } },
           status: :bad_request
  end 

[sarovin]

Hi,
i had same issue:

Started POST "/auth" for ::1 at 2016-03-07 11:36:24 +0100
Processing by DeviseTokenAuth::RegistrationsController#create as JSON
  Parameters: {"email"=>"[email protected]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "confirm_success_url"=>"http://localhost:3000/"}
Unpermitted parameters: email, confirm_success_url, format
Unpermitted parameters: email, confirm_success_url, format
Unpermitted parameters: email, confirm_success_url, format
   (0.1ms)  begin transaction
   (0.1ms)  SELECT COUNT(*) FROM "users" WHERE "users"."provider" = ? AND "users"."email" IS NULL  [["provider", "email"]]
   (0.1ms)  rollback transaction
Completed 403 Forbidden in 106ms (Views: 2.4ms | ActiveRecord: 0.2ms)

and response JSON:

{
  "status": "error",
  "data": {
    "id": null,
    "provider": "email",
    "uid": "",
    "telephone": null,
    "name": null,
    "image": null,
    "email": null,
    "coins": null,
    "birthday": null,
    "address": null,
    "housenumber": null,
    "zipcode": null,
    "floor": null,
    "city_id": null,
    "created_at": null,
    "updated_at": null
  },
  "errors": {
    "email": [
      "can't be blank",
      "is not an email"
    ],
    "full_messages": [
      "Email can't be blank",
      "Email is not an email"
    ]
  }
}

So, if i want sign in with something other than their email address????

Thanks

[sarovin]

Sorry,
the problem is ":authentication_keys => [:telephone]" in:

 class User < ActiveRecord::Base
  # Include default devise modules.
  devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :trackable, :validatable,
          :confirmable, :omniauthable, :authentication_keys => [:telephone]
  include DeviseTokenAuth::Concerns::User
end