Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

uninitialized constant Devise::Models::TokenAuthenticatable #2739

Closed
maurovz opened this issue Nov 12, 2013 · 14 comments
Closed

uninitialized constant Devise::Models::TokenAuthenticatable #2739

maurovz opened this issue Nov 12, 2013 · 14 comments

Comments

@maurovz
Copy link

@maurovz maurovz commented Nov 12, 2013

I have devise on my app and it works fine locally. When I try to deploy it to my server from github, I get the following error: "uninitialized constant Devise::Models::TokenAuthenticatable"

I haven't been able to find any documentation on how to fix it. Any ideas?

@latortuga

This comment has been minimized.

Copy link
Contributor

@latortuga latortuga commented Nov 12, 2013

TokenAuthenticatable has been removed from Devise so if you are using it in your application, you'll need to remove it or patch in a custom implementation. If it works locally it likely means an old gem is being loaded - make sure your gems do not include an old version of devise and that your Gemfile is specifying the version you want to e using.

@josevalim josevalim closed this Nov 12, 2013
@cheshire137

This comment has been minimized.

Copy link

@cheshire137 cheshire137 commented Dec 17, 2013

All the examples in the readme for doing token authentication refer to using TokenAuthenticatable, e.g., this gist. How do we do token authentication without TokenAuthenticatable?

@nashby

This comment has been minimized.

Copy link
Collaborator

@nashby nashby commented Dec 17, 2013

@moneypenny I think you wanted to say in wiki not in readme. The wiki is maintained by the community. So if there aren't any up to date instructions, we recommend you to explore the solution yourself and hopefully contribute your findings back!

@cheshire137

This comment has been minimized.

Copy link

@cheshire137 cheshire137 commented Dec 17, 2013

Correct! I meant this wiki page.

@josevalim

This comment has been minimized.

Copy link
Contributor

@josevalim josevalim commented Dec 17, 2013

@moneypenny The wiki page mentions it was removed and contains a link to a gist that can be used as starting point!

@nashby

This comment has been minimized.

Copy link
Collaborator

@nashby nashby commented Dec 17, 2013

@josevalim it was @moneypenny who updated it just now :)

@josevalim

This comment has been minimized.

Copy link
Contributor

@josevalim josevalim commented Dec 18, 2013

Oops, awesome! THanks @moneypenny !

@vlaguzman

This comment has been minimized.

Copy link

@vlaguzman vlaguzman commented Jan 8, 2014

Thanks @DBNess for the reference!

@xixilive

This comment has been minimized.

Copy link

@xixilive xixilive commented Mar 6, 2014

I think token-auth is a helpful feature for mobile device login(QRcode together), and i can't understand why to remove the feature, for safety reason?

@guilhermesimoes

This comment has been minimized.

Copy link
Contributor

@guilhermesimoes guilhermesimoes commented Mar 6, 2014

Yes. See the plataformatec blog post for more info.

@daniel-rikowski

This comment has been minimized.

Copy link

@daniel-rikowski daniel-rikowski commented Mar 24, 2014

Is it possible to fix the old TokenAuthenticatable strategy?

I used https://gist.github.com/josevalim/fb706b1e933ef01e4fb6 as a starting point to create my own Warden authentication strategy and the necessary Devise model. It was relatively easy and that got me wondering:

As far as I understand, the key to prevent a timing attack is to use a constant time comparison for the token. In order to do so one must not use the token to perform a database lookup, but find some other means to retrieve a user candidate.

If that is correct, couldn't TokenAuthenticatable be modified to incorporate a second parameter to perform the user lookup? Or is there other code in Devise which runtime (implictly) depends on the token param?

@josevalim

This comment has been minimized.

Copy link
Contributor

@josevalim josevalim commented Mar 24, 2014

@daniel-rikowski that is just one of the possible solutions. Besides requiring the e-mail. You could for example split the token in two, one which is looked up against the database and the other which you do secure compare against. I think when discussing the issue we had two more other options although I can't recall them exactly.

Not only that, if you consider some people regard that timing attacks are not feasible, we have too many options for solving the same issue, so rolling your own is certainly easier (and easily implementable too).

@paynecodes

This comment has been minimized.

@qpowell

This comment has been minimized.

Copy link

@qpowell qpowell commented Aug 1, 2014

^ that link didn't work for me, but was able to find it here: http://www.soryy.com/blog/2014/apis-with-devise/

xw19 added a commit to xw19/angel_nest that referenced this issue Jul 8, 2019
- Upgrade to rails 4.2
- Upgrade devise
	- remove token authentication as it is not supported by the devise heartcombo/devise#2739
	- Add devise secret token
	- Signout by default now uses delete instead of get so need to change that back to get
- Model level changes
	- Rails update scopes to use lambda expressions
	- Added protected attributes gem
	- Removed attributes accessor
- Controller level changes
	- Added strong parameters in startup
- Config level Changes
	- Added eager load options
	- Rails config file rewrite
	- remove assets groups
	- Set log level to info in production
	- set css and js compressors
	- Added asstes precompiler
	- remove assets groups
- Route Changes
	- Lot of conflicting routes are fixed with http verb in front of them
- Views fix
	- Slim fixes at app/views/proposals/_form.html.slim
	- id was missing at app/views/users/_index.html.slim
- Javascript fixes
	- Needed to manually add jquery 1.4
- Hacks
	- Primary key issue https://stackoverflow.com/questions/33742967/primary-key-issue-with-creating-tables-in-rails-using-rake-dbmigrate-command-wi
	- Last comment issue https://stackoverflow.com/questions/35893584/nomethoderror-undefined-method-last-comment-after-upgrading-to-rake-11

- To fix
	- JS works fine on dev not on prod
	- Changes to all controllers to support strong parameters
xw19 added a commit to xw19/angel_nest that referenced this issue Jul 8, 2019
- Upgrade to rails 4.2
- Upgrade devise
	- remove token authentication as it is not supported by the devise heartcombo/devise#2739
	- Add devise secret token
	- Signout by default now uses delete instead of get so need to change that back to get
- Model level changes
	- Rails update scopes to use lambda expressions
	- Added protected attributes gem
	- Removed attributes accessor
- Controller level changes
	- Added strong parameters in startup
- Config level Changes
	- Added eager load options
	- Rails config file rewrite
	- remove assets groups
	- Set log level to info in production
	- set css and js compressors
	- Added asstes precompiler
	- remove assets groups
	- require rails all
- Route Changes
	- Lot of conflicting routes are fixed with http verb in front of them
- Views fix
	- Slim fixes at app/views/proposals/_form.html.slim
	- id was missing at app/views/users/_index.html.slim
- Javascript fixes
	- Needed to manually add jquery 1.4
- Hacks
	- Primary key issue https://stackoverflow.com/questions/33742967/primary-key-issue-with-creating-tables-in-rails-using-rake-dbmigrate-command-wi
	- Last comment issue https://stackoverflow.com/questions/35893584/nomethoderror-undefined-method-last-comment-after-upgrading-to-rake-11

- To fix
	- JS works fine on dev not on prod
	- Changes to all controllers to support strong parameters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.