Devise does not return Bad Request for Unpermitted Parameters

[johnson-yeap]

Hi,

Why does devise not returning 400 Bad Request for unpermitted parameter, but 401 Unauthorized instead.
What's the design paradigm?

Is there a way to customized the return to include Bad Request for Rails strong parameters?

[betesh]

Which controllers are you referring to? ones that inherit from DeviseController? Or ones that require an authenticated user?

[johnson-yeap]

@betesh The one that inherits from DeviseController.

I am trying to build an API for user authentication.

When the API calls contains typo like "passod" instead of "password",
I wish to override Devise behavior to return 401 Bad Request.

[betesh]

What is ActionController::Parameters.action_on_unpermitted_parameters set to for your application?

[tegon]

Hello @johnson-yeap, thanks for your report.
Are you overriding the default sessions controller? If so, can you provide the code here?

[tegon]

I'm closing this issue because it has not had recent activity.
If you're still facing this on the latest version, please open a new one with all the information requested in the template.

Thank you!