Ruby on Rails Devise Oauth-facebook OmniAuth::Strategies::OAuth2::CallbackError

ruby-on-rails oauth devise csrf facebook-oauth
selaromi picture selaromi · Jan 24, 2014 · Viewed 7.8k times · Source

Im implementing oauth login with facebook and devise and When returning from accepting the app (the popup) i get the following error:

Could not authenticate you from Facebook because "Csrf detected".

this is the log:

Started GET "/users/auth/facebook/callback" for 127.0.0.1 at 2014-01-23 23:59:58 +0100 ActiveRecord::SchemaMigration Load (0.3ms) SELECT "schema_migrations".* FROM "schema_migrations" (facebook) Callback phase initiated. (facebook) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

My user model

class User < ActiveRecord::Base
    devise :token_authenticatable, :database_authenticatable, :registerable,
     :recoverable, :rememberable, :trackable, :validatable, :confirmable,
     :omniauthable, :omniauth_providers => [:facebook]
    before_save :ensure_authentication_token

    has_one :user_settings
    has_many :predictions
    has_many :user_leagues
    has_many :leagues, through: :user_leagues # this wasn't working, solution found: http://stackoverflow.com/questions/1781202/could-not-find-the-association-problem-in-rails

    valid_email_regex = /\A[\w+\-.]+@[a-z\d\-]+(\.[a-z]+)*\.[a-z]+\z/i
     validates :email, format: { with: valid_email_regex }

    validates :firstName, :lastName, :username, presence:true
    acts_as_voter

    def self.find_for_facebook_oauth(auth)
      where(auth.slice(:provider, :uid)).first_or_initialize.tap do |user|
        user.provider = auth.provider
        user.uid = auth.uid
        user.email = auth.info.email
        user.password = Devise.friendly_token[0,20]
        user.firstName = auth.info.name   # assuming the user model has a name
        # user.image = auth.info.image # assuming the user model has an image
        user.save!
      end
    end
end

I have my facebook id and my secret in devise.rb

  require "omniauth-facebook"
  OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE if Rails.env.development?
  config.omniauth :facebook, ENV["APP_ID"], ENV['FACEBOOK_SECRET']

And i'm doing the verification through javascript

jQuery ->
  $('body').prepend('<div id="fb-root"></div>')

  $.ajax
    url: "#{window.location.protocol}//connect.facebook.net/en_US/all.js"
    dataType: 'script'
    cache: true

window.fbAsyncInit = ->
  FB.init(appId: '123512341234', cookie: true)

  $('#sign_in').click (e) ->
    e.preventDefault()
    FB.login (response) ->
      #console.log(response)
      window.location = '/users/auth/facebook/callback' if response.authResponse

  $('#sign_out').click (e) ->
    FB.getLoginStatus (response) ->
      FB.logout() if response.authResponse
    true

and a list of the gems in bundle install 

rake (10.1.1)
i18n (0.6.9)
minitest (4.7.5)
multi_json (1.8.4)
atomic (1.1.14)
thread_safe (0.1.3)
tzinfo (0.3.38)
activesupport (4.0.0)
builder (3.1.4)
erubis (2.7.0)
rack (1.5.2)
rack-test (0.6.2)
actionpack (4.0.0)
mime-types (1.25.1)
polyglot (0.3.3)
treetop (1.4.15)
mail (2.5.4)
actionmailer (4.0.0)
activemodel (4.0.0)
active_model_serializers (0.8.1)
activerecord-deprecated_finders (1.0.3)
arel (4.0.1)
activerecord (4.0.0)
acts_as_votable (0.8.0)
addressable (2.3.5)
bcrypt-ruby (3.1.2)
coderay (1.1.0)
better_errors (1.1.0)
sass (3.2.13)
bootstrap-sass (2.3.2.2)
mini_portile (0.5.2)
nokogiri (1.6.1)
xpath (2.0.0)
capybara (2.1.0)
certified (0.1.1)
ffi (1.9.3)
childprocess (0.4.0)
coffee-script-source (1.6.3)
execjs (2.0.2)
coffee-script (2.2.0)
thor (0.18.1)
railties (4.0.0)
coffee-rails (4.0.1)
diff-lcs (1.2.5)
gherkin (2.12.2)
multi_test (0.0.3)
cucumber (1.3.10)
bundler (1.5.1)
hike (1.2.3)
tilt (1.4.1)
sprockets (2.10.1)
sprockets-rails (2.0.1)
rails (4.0.0)
cucumber-rails (1.4.0)
orm_adapter (0.5.0)
warden (1.2.3)
devise (3.0.4)
launchy (2.4.2)
email_spec (1.5.0)
factory_girl (4.3.0)
factory_girl_rails (4.3.0)
faker (1.2.0)
multipart-post (2.0.0)
faraday (0.9.0)
hashie (2.0.5)
jbuilder (1.0.2)
jquery-rails (3.0.4)
json (1.8.1)
jwt (0.1.11)
multi_xml (0.5.5)
oauth2 (0.9.3)
omniauth (1.2.1)
omniauth-oauth2 (1.1.2)
omniauth-facebook (1.6.0)
pg (0.17.1)
rack-cors (0.2.9)
rails_serve_static_assets (0.0.2)
rails_stdout_logging (0.0.3)
rails_12factor (0.0.2)
rdoc (3.12.2)
rspec-core (2.13.1)
rspec-expectations (2.13.0)
rspec-mocks (2.13.1)
rspec-rails (2.13.1)
rubyzip (0.9.9)
sass-rails (4.0.1)
sdoc (0.3.20)
websocket (1.0.7)
selenium-webdriver (2.35.1)
turbolinks (1.1.1)
uglifier (2.1.1)

Rails 4.0.0

Thanks a lot in advanced!

Answer

selaromi picture selaromi · Jan 24, 2014

I added this to my app_name/config/initializers/devise.rb

{ provider_ignores_state: true }

so it ended up being 

  require "omniauth-facebook"
  config.omniauth :facebook, ENV["FACEBOOK_APP_ID"], ENV['FACEBOOK_SECRET'], provider_ignores_state: true

Hope this helps someone else!

Related questions

where is devise implementation of "authenticate_user!" method?

Where is devise implementation of authenticate_user! method? I have been looking for it and have not found it so far.

Read More
Setup multiple providers with devise :omniauthable

I just got "Devise 1.2 supports integration with OmniAuth tutorial" working but I'd like to setup multiple providers to refer the same user. I'm looking for some good sample code to look at. I'm also not sure "multiple providers" is possible …

Read More
Why is Google Oauth returning `invalid redirect_urI` in my Rails app?

I'm adding Google Oauth2 to a Rails app, but have been unable to get past the early stages. I've set up an app, and defined client ID and secret.But I'm getting Invalid parameter value for redirect_uri: Non-public domains …

Read More