devise_token_auth
devise_token_auth copied to clipboard
lynndylanhurley
Authentication passthru when using with omniauth 2.0.3
Trying to implement omniauth + google_oauth2 into token auth, with no luck. Am I missing any settings required?
Email authentication at POST http://localhost:3000/v1/auth/sign_in works as expected.
I'm concerned if we should access to the OAuth request phase using POST method.
Version
- devise_token_auth 1.1.5
- omniauth 2.0.3
- rails 6.1.3
- ruby 3.0.0
Request and response headers
GET request to http://localhost:3000/v1/auth/google_oauth2 results:
Request URL: http://localhost:3000/v1/auth/google_oauth2
Request Method: GET
Status Code: 301 Moved Permanently
Remote Address: [::1]:3000
Referrer Policy: strict-origin-when-cross-origin
After redirect:
Request URL: http://localhost:3000/omniauth/google_oauth2?namespace_name=v1&resource_class=User
Request Method: GET
Status Code: 404 Not Found
Remote Address: [::1]:3000
Referrer Policy: strict-origin-when-cross-origin
With response body being: Not found. Authentication passthru..
Rails Stacktrace
Started GET "/v1/auth/google_oauth2" for ::1 at 2021-02-23 19:33:36 +0900
Started GET "/omniauth/google_oauth2?namespace_name=v1&resource_class=User" for ::1 at 2021-02-23 19:33:36 +0900
Processing by Users::OmniauthCallbacksController#passthru as HTML
Parameters: {"namespace_name"=>"v1", "resource_class"=>"User"}
Rendering text template
Rendered text template (Duration: 0.0ms | Allocations: 2)
Completed 404 Not Found in 1ms (Views: 0.7ms | Allocations: 222)
Environmental Info
Routes
Rails.application.routes.draw do
devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
namespace :v1 do
mount_devise_token_auth_for 'User', at: 'auth'
end
end
Gems
ruby '3.0.0'
gem 'rails', '~> 6.1.0'
gem 'pg', '~> 1.1'
gem 'puma', '~> 5.0'
gem 'jbuilder', '~> 2.7'
gem 'bootsnap', '>= 1.4.4', require: false
gem 'rack-cors'
gem 'devise', git: 'https://github.com/heartcombo/devise.git', branch: 'ca-omniauth-2' # https://github.com/heartcombo/devise/issues/5326
gem 'devise_token_auth'
gem 'omniauth-google-oauth2'
Custom Overrides
class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
def google_oauth2
@user = User.from_omniauth(request.env['omniauth.auth'])
if @user.persisted?
flash[:notice] = I18n.t 'devise.omniauth_callbacks.success', kind: 'Google'
sign_in_and_redirect @user, event: :authentication
else
session['devise.google_data'] = request.env['omniauth.auth'].except('extra') # Removing extra as it can overflow some session stores
redirect_to new_user_registration_url, alert: @user.errors.full_messages.join("\n")
end
end
end
Custom Frontend
Just trying with GUI tools.
Controller
Note that I'm on API mode:
class ApplicationController < ActionController::API
include DeviseTokenAuth::Concerns::SetUserByToken
end
Model
class User < ApplicationRecord
include DeviseTokenAuth::Concerns::User
devise :database_authenticatable, :registerable, :recoverable, :rememberable,
:validatable, :confirmable, :trackable, :timeoutable,
:omniauthable, omniauth_providers: %i[google_oauth2]
def self.from_omniauth(access_token)
data = access_token.info
user = User.where(email: data['email']).first
# Create user if they don't exist
unless user
user = User.create(
name: data['name'],
email: data['email'],
password: Devise.friendly_token[0,20]
)
end
user
end
end
Downgrading OmniAuth from 2.0.3 to 1.9.1 seems to do the trick. However, I don't want to downgrade this gem at the production level for security reasons.
gem 'omniauth', '1.9.1'
I think my issue is related to the fact that OmniAuth now defaults to only POST as the allowed request_phase method. https://github.com/omniauth/omniauth/releases/tag/v2.0.0