Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clearance for rails api only app #896

Closed
ibraheemdev opened this issue May 3, 2020 · 2 comments
Closed

Clearance for rails api only app #896

ibraheemdev opened this issue May 3, 2020 · 2 comments

Comments

@ibraheemdev
Copy link

ibraheemdev commented May 3, 2020
edited
Loading

Is there any configuration for a rails api only app? ie: an app generated with the --api flag.
When I make a post request to my api-only app, I get the following response:

Started POST "/users" for ::1 at 2020-05-03 16:00:30 -0400
Processing by Clearance::UsersController#create as */*
  Parameters: {"user"=>{"email"=>"example@example.com", "password"=>"[FILTERED]"}}
   (0.0ms)  begin transaction
  User Exists? (0.1ms)  SELECT 1 AS one FROM "users" WHERE "users"."email" = ? LIMIT ?  [["email", "example@example.com"], ["LIMIT", 1]]
  User Create (1.6ms)  INSERT INTO "users" ("created_at", "updated_at", "email", "encrypted_password", "remember_token") VALUES (?, ?, ?, ?, ?)  [["created_at", "2020-05-03 20:00:30.731133"], ["updated_at", "2020-05-03 20:00:30.731133"], ["email", "example@example.com"], ["encrypted_password", "$2a$12$MJPN4rKBlAlecrzb.cK6QendHfBM1koy2xhVCRbMaMh/wAzyHZpIi"], ["remember_token", "617b695d8db3bfaf102c70a695ae83685045caed"]]
   (0.6ms)  commit transaction
Completed 500 Internal Server Error in 298ms (ActiveRecord: 2.3ms | Allocations: 83913)


  
NameError (undefined local variable or method `form_authenticity_token' for #<Clearance::UsersController:0x00007ff26c2d8d70>):

How can I resolve this issue?

Steps to reproduce:

  1. rails new authtest --api
  2. Install clearance gem
  3. rails g clearance:install
  4. post request to '/users' with params:
    {"user"=>{"email"=>"example@example.com", "password"=>"asdf1234"}}

Are there any plans to make a config.api_only = true clearance config option that would render json instead of redirects and flashes and fix some of these csrf issues?
@ballPointPenguin
Copy link

I'm very curious about this too

@gnfisher
Copy link
Contributor

Thanks for submitting your issue. Clearance is not really built to support API mode out the box. It may be possible but will require some amount of configuration on the application side. We don't currently have any plans to offer an api only configuration option.

You can set Configuration.rotate_csrf_on_sign_in to false to bypass the code that is giving you this particular error:

clearance/lib/clearance/authentication.rb

Lines 66 to 69 in b63bbc8

if signed_in? && Clearance.configuration.rotate_csrf_on_sign_in?
session.delete(:_csrf_token)
form_authenticity_token
end

However you may want to take other measures to ensure the security of your end points.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ballPointPenguin @gnfisher @ibraheemdev