I'm working on a rails api and using devise_token_auth for the authentication, when I try to update password by hitting the /auth/password with put request it responsds with error 401 i.e. unauthorized. My server logs show me this
Started PUT "/auth/password" Processing by DeviseTokenAuth::PasswordsController#update as HTML Parameters: {"password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"} Can't verify CSRF token authenticity Completed 401 Unauthorized in
routes.rb
mount_devise_token_auth_for 'User', at: 'auth' ,:controllers => { :omniauth_callbacks => 'omniauth' } view.html (angularjs)
<div class="container"> <div class="row"> <div class="row"> <div class="col-xs-6 col-xs-offset-3 que"> <img src="./uploads/img/web-logo.png" class="img-responsive" alt="Logo"> </div> </div> <div class="col-xs-12 reset-pas"> <form name="update_pass" ng-submit="updatePassword_controller()" role="form" class="lost_reset_password"> <p class="error_msg" ng-show="update_pass.password_confirmation.$error.passwordVerify"> Passwords are not equal! </p> <label>New password</label> <input type="password" name="password" ng-minlength="8" ng-model="updatePasswordForm.password" required="required" class="form-control"> <span>Minimum 8 Charachters</span> <br> <label>Re-enter new password</label> <input type="password" name="password_confirmation" ng-minlength="8" ng-model="updatePasswordForm.password_confirmation" required="required" class="form-control" password-verify="updatePasswordForm.password" > <button type="submit" class="btn btn-default" id="reset-submit">Save</button> </form> </div> </div> </div> controller.js
$scope.updatePassword_controller = function() { $auth.updatePassword($scope.updatePasswordForm) .then(function(resp) { console.log(resp) $location.path('/') }) .catch(function(resp) { console.log(resp) }); }; Update Note I'm facing this issue only for password update
Update
I installed gem 'angular_rails_csrf' Now it's giving only the authorization error not the csrf attack error
2 Answers
Answers 1
Use the Rails form_tag or form_for helpers. They add will add a hidden field for the XCSRF token:
<div class="container"> <div class="row"> <div class="row"> <div class="col-xs-6 col-xs-offset-3 que"> <img src="./uploads/img/web-logo.png" class="img-responsive" alt="Logo"> </div> </div> <div class="col-xs-12 reset-pas"> <%= form_tag "#", { "ng-submit" => "updatePassword_controller()", "role" => "form", "class" => "lost_reset_password"} do %> <p class="error_msg" ng-show="update_pass.password_confirmation.$error.passwordVerify"> Passwords are not equal! </p> <label>New password</label> <input type="password" name="password" ng-minlength="8" ng-model="updatePasswordForm.password" required="required" class="form-control"> <span>Minimum 8 Charachters</span> <br> <label>Re-enter new password</label> <input type="password" name="password_confirmation" ng-minlength="8" ng-model="updatePasswordForm.password_confirmation" required="required" class="form-control" password-verify="updatePasswordForm.password" > <button type="submit" class="btn btn-default" id="reset-submit">Save</button> </form> </div> </div> </div> Answers 2
I simply made a condition in applicationcontroller.rb like below and it worked out . The main idea is simply to override the functionality of Devise
if params[:controller] == "devise_token_auth/passwords" && params[:action] == "update" uri = URI.parse(request.headers.env['HTTP_REFERER']) query_params = CGI.parse(uri.query) email = query_params['uid'].first user = User.find_by_email(email) user.password = params[:password] user.password_confirmation = params[:password_confirmation] if user.save render json: {message: 'Password Updated successfully', status: 200} else render json: {message: 'Password Could not changed , Please contact to support Team', status: 401} end end Although it's not the proper solution but i couldn't think of anyother one . So please bare with me .In it we're fetching email from url
0 comments:
Post a Comment