devise_token_auth: Getting 401 unauthorized on login attempt

Hi everyone,

I setup a new Rails app with the dta gem and the ng-token-auth module and in my login form, when I try to login I get this:

Started POST "/api/auth/sign_in" for ::1 at 2015-02-09 08:46:26 -0300
Processing by DeviseTokenAuth::SessionsController#create as HTML
  Parameters: {"email"=>"rodrigovieira1994@gmail.com", "password"=>"[FILTERED]", "session"=>{"email"=>"rodrigovieira1994@gmail.com", "password"=>"[FILTERED]"}}
  User Load (0.9ms)  SELECT  "users".* FROM "users" WHERE (uid = 'rodrigovieira1994@gmail.com' AND provider='email')  ORDER BY "users"."id" ASC LIMIT 1
Completed 401 Unauthorized in 96ms (Views: 0.2ms | ActiveRecord: 0.9ms)

My application_controller.rb looks like this:

class ApplicationController < ActionController::Base
  include DeviseTokenAuth::Concerns::SetUserByToken
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :exception
  before_action :configure_permitted_parameters, if: :devise_controller?

  after_filter :set_csrf_cookie_for_ng
  before_filter :clean_parameters

  def set_csrf_cookie_for_ng
    cookies['XSRF-TOKEN'] = form_authenticity_token if protect_against_forgery?
  end

  rescue_from ActiveRecord::RecordNotFound do
    respond_to do |type|
      type.all  { render nothing: true, status: 404 }
    end
  end

protected

  def clean_parameters
    params.delete :session
  end

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_in) << :session
    devise_parameter_sanitizer.for(:sign_up) << :daily_calories
    devise_parameter_sanitizer.for(:account_update) << :daily_calories
  end

  def verified_request?
    super || valid_authenticity_token?(session, request.headers['X-XSRF-TOKEN'])
  end
end

I performed the very same query on the console and a object does exist:

screen shot 2015-02-09 at 8 49 08 am

Do you guys know what could be wrong? I put the clean_parameters method above so Rails would stop telling me I was trying to push a bad parameter (`session).

About this issue

  • Original URL
  • State: closed
  • Created 9 years ago
  • Comments: 24 (12 by maintainers)

Most upvoted comments

I’m having a 401, when I try to send a password reset by sending a post on /auth/password, and in the payload I have an email and redirect_url. What could cause this ? When requesting a password change, we should not get an 401

+1
mamadoutourelacapitale on Jun 6, 2018

@acmel067 if you haven’t found the answer already it’s because you need devise_for :user outside of namespace :api, defaults: {format: ‘json’} do

+1
Babbz75 on Nov 11, 2016

I can imagine a “Troubleshooting 401 Errors” page being helpful. It seems that there are multiple potential causes, some of them non-obvious.

+1
jasonswett on Feb 11, 2015
Read more comments on GitHub
← devise_token_auth: Could not load 'omniauth'
devise_token_auth: NoMethodError in DeviseTokenAuth::OmniauthCallbacksController#redirect_callbacks →