Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Unauthorized after sign in for devise 2.1 #2038

danielhum opened this Issue Aug 22, 2012 · 11 comments


None yet
8 participants

When I upgrade to devise 2.1, my app returns 401 Unauthorized after a user has signed in (after sign in, it redirects to a controller with require => authenticate_user) It worked fine in 2.0.

I tried overriding the sessions_controller, and strangely enough if I do
unsecure example, just for testing

resource = User.find_by_email(params[:user][:email])
sign_in(resource_name, resource)
respond_with resource, :location => after_sign_in_path_for(resource)

this works fine. however,

resource = warden.authenticate!(auth_options)
puts resource.first_name
sign_in(resource_name, resource)
respond_with resource, :location => after_sign_in_path_for(resource)

does not work. I've checked and it's pulling the correct resource (ie. puts resource.first_name prints the correct name), and it proceeds to redirect to the user_root. The problem is that user_root return Unauthorized.

any ideas what might be going wrong?


josevalim commented Aug 22, 2012

Can you provide an application that reproduces the problem? From your description, it seems that everything should work fine.

Hm I can't seem to replicate it in a new app (will keep trying), but I've isolated the problem to that it's occurring only when accessed from a mobile (iOS) app.

It works fine when I log in through the web page for /users/sign_in, but if I do a POST from my mobile app the problem happens.

here's the log for it:

Started POST "/users/sign_in" for at 2012-08-23 13:14:37 +0800
Processing by Devise::SessionsController#create as */*
  Parameters: {"user"=>{"email"=>"test@oneuphero.com", "password"=>"[FILTERED]"}}
WARNING: Can't verify CSRF token authenticity
Redirected to http://localhost:3000/
Completed 302 Found in 104ms (ActiveRecord: 0.0ms)

Started GET "/" for at 2012-08-23 13:14:37 +0800
Processing by HomeController#index as */*
Completed 401 Unauthorized in 0ms

HomeController has before_filter :authenticate_user!

as mentioned it works fine when using devise 2.0


josevalim commented Aug 23, 2012

Well, as you can see in the log, we are not able to verify the CSRF token,
so Rails is redirecting. I'm not sure why it worked on previous Devise
versions, because we also had the CSRF check. In any case, it is weird that
you are using sessions controller to the an API sign in, how do you keep
the user authenticated? Do you keep a copy of the returned cookie?

Sent from my iPhone

I'm using the authentication token. If it's because of the CSRF token, is it meant to redirect to the user_root?

In the log I showed it's redirecting to root, but that's because I temporarily removed the user_root for the example. In actual case it's redirecting to the user_root, sorry for the confusion.

Also strangely now that you've mentioned it, protect_from_forgery is in my application controller yet I've never had issues with it.

EDIT: ok you're right, I tested disabling protect_from_forgery and it works. strange that it was ok in devise 2.0


josevalim commented Aug 23, 2012

We have improved the CSRF checks for Devise 2.1. Anyway, if you are using
the token, there is no need at all to to use sessions controller. Can you
access other endpoints?

Sent from my iPhone

@josevalim josevalim closed this Aug 30, 2012

Processing by SessionsController#create as HTML
Parameters: {"oauth_token"=>"Q24JgzSmK1UjQgFx39wBCEcmgD7gX93EPXV6gL1TA", "oauth_verifier"=>"AxH4h5MYWCmNK1MMrKUOytzfVHOWArjAWJE5ONFBxYk", "provider"=>"twitter"}
Completed 401 Unauthorized in 0ms

problem still exists, any better solution to this problem???

Has there been any progress on this?

samdunne commented Jul 8, 2013


cyrusg commented Feb 14, 2014


ryaz commented Apr 30, 2014


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment