Devise warden 401 Unauthorized when wrong credentials

ruby-on-rails devise warden
ndemoreau picture ndemoreau · Jan 10, 2013 · Viewed 8.2k times · Source

I have a quite standard Devise login procedure with:

View:

resource_name, :url => session_path(resource_name)) do |f| %> 
<%= f.input :password, input_html: {class: "span6"} %>

<% if devise_mapping.rememberable? -%>
    <p><%= f.check_box :remember_me %>&nbsp;&nbsp;&nbsp;Remember me</p>
<% end -%>

<input type="hidden" name="after_sign_in_page" value="<%=@after_sign_in_page%>">
<p><%= f.submit "Sign in", class: "btn btn-success" %></p>

And I just created a sessioncontroller to downcase the email:

class SessionsController < Devise::SessionsController

  def create
    params[:user][:email].downcase!
    super
    logger.debug "Errors: #{resource.errors}"
  end

A login with good credentials happens fine.

With wrong credentials, It redirects to the sign-in page with this log:

Started POST "/users/sign_in" for 127.0.0.1 at 2013-01-10 09:59:44 +0100
Processing by SessionsController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"8eytQkr20JOOOdDvpCWakbmUzNoaHMxK9/BSEVxETik=", "user"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "remember_me"=>"0"}, "after_sign_in_page"=>"", "commit"=>"Sign in"}
Time zone: (GMT+00:00) UTC, current area: , user to register: , current controller: sessions
Completed 401 Unauthorized in 69ms
Processing by SessionsController#new as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"8eytQkr20JOOOdDvpCWakbmUzNoaHMxK9/BSEVxETik=", "user"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "remember_me"=>"0"}, "after_sign_in_page"=>"", "commit"=>"Sign in"}
  Rendered devise/sessions/_new.html.erb (17.8ms)
  Rendered devise/sessions/new.html.erb within layouts/application (19.7ms)
  Rendered layouts/_header.html.erb (66.1ms)
Completed 200 OK in 173ms (Views: 98.3ms | ActiveRecord: 0.9ms)

Apparently the 401 is dropped by Warden but I couldn't figure out why. The user is correctly redirected back to the login page but there is no error message displayed (which is normal as they are wiped out by the redirect)

What am I doing wrong?

thanks!

EDIT 1:

For now, I found a quick hack. I added this in SessionsController#new

if params[:user]
  flash[:alert] = "Incorrect login or password"
end

Not very elegant but at least, I have something.

Answer

jassa picture jassa · Jan 22, 2013

First of all, let me advice you against overriding Devise controllers:

  1. In this case, Devise takes care of transforming the email to lower case for you, so there's really no need to overwrite the create method.
  2. Your app will support Devise updates seamlessly if you stick to the standard.

Also, Devise should set a flash error automatically, make sure you're displaying it in your view.

The status code 401 is just a standard response for unauthorized requests.

401 Unauthorized is similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided

http://en.wikipedia.org/wiki/List_of_HTTP_status_codes

You should definitely consider dropping your custom controller,

Cheers

Related questions

Redirect to log in page if user is not authenticated with Devise

I'm using Devise with Ruby on Rails. What is the recommended way to redirect unauthenticated users to the sessions#new page if they attempt to access a page that requires authentication? Right now I get an error that says no …

Read More
How do I login a user with devise?

I have my rails application and I am running into a major issue with devise. I have a controller: class Users::SessionsController < Devise::SessionsController prepend_before_filter :require_no_authentication, :only => [ :new, :create ] include Devise::Controllers::InternalHelpers def …

Read More
Ruby on Rails Devise code after login

I have an RoR app using Devise for logins. There is some code that is executed when a new User record is created, by being put in the user.rb file as an after_create call/macro/whatever. I need …

Read More