问题描述
我使用OmniAuth来处理Devise的大量问题,以验证我的Rails应用程序。我重新启动我的服务器,并在隐身模式下打开一个新的标签页(以便cookie被清除)并载入我的应用程序。我登录,然后通过该应用程序。
I'm having a ton of issues with Devise, using OmniAuth, to authenticate my Rails app. I relaunch my server and open up a new tab in Incognito mode (so that the cookies are cleared) and load my app. I log in, and then go through to the app.
当我访问通过AJAX调用身份验证操作的页面时,它通过HTTP基本身份验证请求用户名和密码。我已经在我的 devise.rb 中禁用了这个。
When I get to a page that calls an authenticated action via AJAX, it asks for a username and password via HTTP Basic Authentication. I've disabled this in my devise.rb.
config.http_authenticatable = false
config.http_authenticatable_on_xhr = false
当我回到上一页时,它会将我重定向到登录页面,并要求登录。当我访问不需要身份验证的页面,然后返回经过身份验证的页面时,也会发生这种情况。
When I then go back to a previous page, it redirects me to the login page and asks for a login. This also happens when I visit a page that doesn't require authentication and then go back to an authenticated page.
这是非常令人沮丧的。我已经将Devise和Warden打包到我的供应商/ gems 目录中,以便我可以尝试调试它,但我真的无法确定从哪里开始。任何帮助将非常感谢。
This is getting immensely frustrating. I've unpacked Devise and Warden to my vendor/gems directory so that I can try to debug it, but I honestly can't figure out where to begin. Any help would be hugely appreciated.
推荐答案
您的AJAX调用可能不是设置CSRF令牌。您可能需要更新UJS gem(可能是jquery-rails)或手动将X-CSRF-Token HTTP头设置为标记的值。看到这个问题:。您可以通过在 config / application.rb $ c $中夹住
config.allow_forgery_protection = false
来暂时禁用CSRF保护来测试是否存在问题c>。
Your AJAX call probably isn't setting the CSRF token. You might need to update your UJS gem (jquery-rails probably) or manually set the X-CSRF-Token HTTP header to the value of the tag. See this question: Devise session immediately expiring on .js call [AJAX]. You can test if this is the problem by disabling CSRF protection temporarily by chucking config.allow_forgery_protection = false
in config/application.rb
.
如果你去手动路由,你应该首先获取'authenticity_token'元标记的值,并将其用作实际令牌的名称元标记,而不是硬编码对'csrf-token'的引用。
If you go the manual route, you should probably grab the value of the 'authenticity_token' meta tag first, and use that as the name of the actual token meta tag, rather than hard coding the reference to 'csrf-token'.
如果可以,我建议更新到Rails 3.0.10或3.1。我仍然在3.0.7问题。
I would recommend updating to Rails 3.0.10 or 3.1 if you can. I was still having problems on 3.0.7.
这篇关于设计在XHR上投掷HTTP认证并注销的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!