Skip to content

Unpermitted parameter :session when signing in using javascript fetch #1361

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
aarona opened this issue Nov 23, 2019 · 2 comments
Closed

Unpermitted parameter :session when signing in using javascript fetch #1361

aarona opened this issue Nov 23, 2019 · 2 comments

Comments

@aarona
Copy link

aarona commented Nov 23, 2019

When posting issues, please include the following information to speed up the troubleshooting process:

  • Version: 1.1.3
    I'm using a javascript fetch method to accomplish this (see code below)

  • Request and response headers:
    Response Headers:

Access-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PUT
Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Expose-Headers: access-token, expiry, token-type, uid, client
Access-Control-Max-Age: 7200
access-token: uB4qS-ZLdHIWn169_OMu3A
Cache-Control: max-age=0, private, must-revalidate
client: uzZh5YeNpNPrYFQZMffnrg
Content-Type: application/json; charset=utf-8
ETag: W/"80dbc878e17bf9c64918b01f9be06a09"
expiry: 1575754256
Referrer-Policy: strict-origin-when-cross-origin
token-type: Bearer
Transfer-Encoding: chunked
uid: [email protected]
Vary: Origin
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: bc0975fc-0dc9-4068-a407-6de2446859a4
X-Runtime: 0.577201
X-XSS-Protection: 1; mode=block

Request Headers:

Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 70
Content-Type: application/json
Host: localhost:3001
Origin: http://localhost:3000
Referer: http://localhost:3000/sign-in
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36

Request Payload (it's relevant I think):

{email: "[email protected]", password: "123456", foo_bar: "FOO_TEST"}
  • Rails Stacktrace:
Started POST "/auth/sign_in" for ::1 at 2019-11-23 13:39:29 -0800
Processing by DeviseTokenAuth::SessionsController#create as */*
  Parameters: {"email"=>"[email protected]", "password"=>"[FILTERED]", "foo_bar"=>"FOO_TEST", "session"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "foo_bar"=>"FOO_TEST"}}
Unpermitted parameter: :session
Unpermitted parameter: :session
  User Load (1.8ms)  SELECT "users".* FROM "users" WHERE "users"."email" = $1 AND "users"."provider" = $2 LIMIT $3  [["email", "[email protected]"], ["provider", "email"], ["LIMIT", 1]]
Unpermitted parameter: :session
Unpermitted parameter: :session
   (0.3ms)  BEGIN
  User Update ... (removed for brevity because its not relevant)
   (0.5ms)  COMMIT
  User Load ...
   (0.2ms)  BEGIN
  User Load ...
  User Update ...
   (1.9ms)  COMMIT
Completed 200 OK in 538ms (Views: 0.3ms | ActiveRecord: 10.2ms | Allocations: 12814)
  • Environmental Info:
    • Routes:
      mount_devise_token_auth_for 'User', at: 'auth'
    • Gems:
      Other than the default gems, this is what's being used:
gem 'devise'
gem 'devise_token_auth'
gem 'rack-cors'
  • Custom Overrides:
    application_controller.rb:
class ApplicationController < ActionController::API
  include DeviseTokenAuth::Concerns::SetUserByToken

  before_action :configure_permitted_parameters, if: :devise_controller?

  protected

  def configure_permitted_parameters
    # I originally was seeing this problem with registering users.
    # I get the same problem as signing in a user except I get
    # "registration" instead of "session".
    devise_parameter_sanitizer.permit(:sign_up, keys: [:name])

    # :foo_bar was a sanity check to see what was causing this problem.
    # Signing in a user creates an extra "session" parameter hash.
    # (see the logs).
    devise_parameter_sanitizer.permit(:sign_in, keys: [:foo_bar])
  end
end
  • Custom Frontend:
    Using a vanilla javascript fetch method:
const onSubmit = (e: React.FormEvent<HTMLFormElement>) => {
    e.preventDefault()
    console.log("Form submitted");

    fetch("http://localhost:3001/auth/sign_in", {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json'
      },
      body: JSON.stringify({
        email,
        password,
        foo_bar: "FOO_TEST"
      })
    })
    .then((response) => {
      for (var pair of response.headers.entries()) {
        console.log(pair[0] + ': ' + pair[1])
      }
      console.log('RESPONSE HEADERS: ', response.headers)
      return response.json()
    })
    .then((data) => {
      console.log(data);
    })
    .catch((error) => {
      console.error('ERROR: ', error);
    })
  }

If you look at the log, you'll see that my payload is sent the form data correctly but I think DTA is adding another set of my parameters under "session". I'm getting the same issue when I go to register a user but the parameters are under "registration". I'm probably doing something wrong here (maybe in the application_controller.rb?), so any help would be much appreciated.
@K-Sato1995
Copy link
Contributor

K-Sato1995 commented Nov 24, 2019
edited
Loading

Duplicated?
#676

@aarona
Copy link
Author

aarona commented Nov 24, 2019

Thanks! Yeah that fixed it. I'll close this.

@aarona aarona closed this as completed Nov 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aarona @K-Sato1995