设计用户登录为 CSRF 令牌真实性令牌提供身份验证错误 [英] devise user sign_in gives authentication error for CSRF token authenticity token
问题描述
我正在使用 devise
(最新版本 - 3.2.0)和 rails
(最新版本 - 4.0.1)
我正在做简单的身份验证(没有 ajax 或 api)并且收到 CSRF 真实性令牌的错误.检查下面的 POST 请求
在 2013-11-08 19:48:49 +0530 开始 POST "/users/sign_in" for 127.0.0.1由 Devise::SessionsController#create as HTML 处理参数:{"utf8"=>"✓",authenticity_token"=>SJnGhXXUXjncnPhCdg3muV2GYCA8CX2LVFV78pqddD4=",用户"=>{"email"=>"a@a.com", "password"=>"[过滤]", "remember_me"=>"0"},提交"=>登录"}无法验证 CSRF 令牌的真实性用户负载 (0.4ms) SELECT "users".* FROM "users" WHERE "users"."email" ='a@a.com' 限制 1(0.1ms) 开始事务SQL (0.4ms) UPDATE "users" SET "last_sign_in_at" = ?, "current_sign_in_at" = ?,sign_in_count" = ?, updated_at" = ?WHERE "users"."id" = 2 [["last_sign_in_at", Fri,2013 年 11 月 8 日 14:13:56 UTC +00:00],[current_sign_in_at",2013 年 11 月 8 日星期五 14:18:49 UTC+00:00], ["sign_in_count", 3], ["updated_at",2013 年 11 月 8 日星期五 14:18:49 UTC +00:00]](143.6ms) 提交事务重定向到 http://localhost:3000/完成 302 发现时间为 239 毫秒(活动记录:144.5 毫秒 | 搜索:0.0 毫秒)
根url指向home#new
,就像
class HomeController <应用控制器before_action :authenticate_user!定义索引结尾结尾
登录页面生成的html视图如下:
元标记
<meta content="aV+d7Z55XBJF2VtyL8V3zupR3OwhaQ6UHNtlQLBQf5Y="name="csrf-token"/>
表格
<div><label for="user_email">电子邮件</label><br/><input autofocus="autofocus" id="user_email" name="user[email]" type="email" value=""/>
<div><label for="user_password">密码</label><br/><input id="user_password" name="user[password]" type="password"/></div><div><input name="user[remember_me]" type="hidden" value="0"/><input id="user_remember_me" name="user[remember_me]" type="checkbox" value="1"/><label for="user_remember_me">记住我</label></div><div><input name="commit" type="submit" value="Sign in"/></div></表单>
身份验证请求甚至更新了 last_sign_in_at
和 sign_in_count
值,但是当我尝试访问控制器中的 current_user
时,它变成了 无
.
据我所知,它实际上并没有登录 user
.但随之而来的问题是为什么要更新 user
表中的 last_sign_in_at
/sign_in_count
值?"
devise gem 没有问题.我删除了rails-api" gem,我的应用开始工作.
I am using devise
(latest version - 3.2.0) with rails
(latest version - 4.0.1)
I'm doing simple authentication (without ajax or api) and getting an error for CSRF authenticity token. Check the POST request below
started POST "/users/sign_in" for 127.0.0.1 at 2013-11-08 19:48:49 +0530
Processing by Devise::SessionsController#create as HTML
Parameters: {"utf8"=>"✓",
"authenticity_token"=>"SJnGhXXUXjncnPhCdg3muV2GYCA8CX2LVFV78pqddD4=", "user"=>
{"email"=>"a@a.com", "password"=>"[FILTERED]", "remember_me"=>"0"},
"commit"=>"Sign in"}
Can't verify CSRF token authenticity
User Load (0.4ms) SELECT "users".* FROM "users" WHERE "users"."email" =
'a@a.com' LIMIT 1
(0.1ms) begin transaction
SQL (0.4ms) UPDATE "users" SET "last_sign_in_at" = ?, "current_sign_in_at" = ?,
"sign_in_count" = ?, "updated_at" = ? WHERE "users"."id" = 2 [["last_sign_in_at", Fri,
08 Nov 2013 14:13:56 UTC +00:00], ["current_sign_in_at", Fri, 08 Nov 2013 14:18:49 UTC
+00:00], ["sign_in_count", 3], ["updated_at", Fri, 08 Nov 2013 14:18:49 UTC +00:00]]
(143.6ms) commit transaction
Redirected to http://localhost:3000/
Completed 302 Found in 239ms (ActiveRecord: 144.5ms | Search: 0.0ms)
The root url points to home#new
, which is like
class HomeController < ApplicationController
before_action :authenticate_user!
def index
end
end
Sign_in page generated html view is like:
meta tags
<meta content="authenticity_token" name="csrf-param" /> <meta content="aV+d7Z55XBJF2VtyL8V3zupR3OwhaQ6UHNtlQLBQf5Y=" name="csrf-token" />
form
<form accept-charset="UTF-8" action="/users/sign_in" class="new_user" id="new_user" method="post"> <div style="margin:0;padding:0;display:inline"> <input name="utf8" type="hidden" value="✓" /> <input name="authenticity_token" type="hidden value="aV+d7Z55XBJF2VtyL8V3zupR3OwhaQ6UHNtlQLBQf5Y=" /> </div> <div><label for="user_email">Email</label><br /> <input autofocus="autofocus" id="user_email" name="user[email]" type="email" value="" /> </div> <div><label for="user_password">Password</label><br /> <input id="user_password" name="user[password]" type="password" /></div> <div><input name="user[remember_me]" type="hidden" value="0" /> <input id="user_remember_me" name="user[remember_me]" type="checkbox" value="1" /> <label for="user_remember_me">Remember me</label></div> <div><input name="commit" type="submit" value="Sign in" /></div> </form>
The authentication request even updates the last_sign_in_at
and sign_in_count
values, but when I try to access current_user
in controller it comes as nil
.
According to me it is not actually signing in user
. But then question comes "why it is updating last_sign_in_at
/sign_in_count
value in the user
table ?"
There was no problem with devise gem . I removed 'rails-api' gem and my app started working.
这篇关于设计用户登录为 CSRF 令牌真实性令牌提供身份验证错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!