Search code examples
ruby-on-railsdevisewarden

Devise warden 401 Unauthorized when wrong credentials

I have a quite standard Devise login procedure with:

View:

resource_name, :url => session_path(resource_name)) do |f| %> 
<%= f.input :password, input_html: {class: "span6"} %>

<% if devise_mapping.rememberable? -%>
    <p><%= f.check_box :remember_me %>&nbsp;&nbsp;&nbsp;Remember me</p>
<% end -%>

<input type="hidden" name="after_sign_in_page" value="<%=@after_sign_in_page%>">
<p><%= f.submit "Sign in", class: "btn btn-success" %></p>

And I just created a sessioncontroller to downcase the email:

class SessionsController < Devise::SessionsController

  def create
    params[:user][:email].downcase!
    super
    logger.debug "Errors: #{resource.errors}"
  end

A login with good credentials happens fine.

With wrong credentials, It redirects to the sign-in page with this log:

Started POST "/users/sign_in" for 127.0.0.1 at 2013-01-10 09:59:44 +0100
Processing by SessionsController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"8eytQkr20JOOOdDvpCWakbmUzNoaHMxK9/BSEVxETik=", "user"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "remember_me"=>"0"}, "after_sign_in_page"=>"", "commit"=>"Sign in"}
Time zone: (GMT+00:00) UTC, current area: , user to register: , current controller: sessions
Completed 401 Unauthorized in 69ms
Processing by SessionsController#new as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"8eytQkr20JOOOdDvpCWakbmUzNoaHMxK9/BSEVxETik=", "user"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "remember_me"=>"0"}, "after_sign_in_page"=>"", "commit"=>"Sign in"}
  Rendered devise/sessions/_new.html.erb (17.8ms)
  Rendered devise/sessions/new.html.erb within layouts/application (19.7ms)
  Rendered layouts/_header.html.erb (66.1ms)
Completed 200 OK in 173ms (Views: 98.3ms | ActiveRecord: 0.9ms)

Apparently the 401 is dropped by Warden but I couldn't figure out why. The user is correctly redirected back to the login page but there is no error message displayed (which is normal as they are wiped out by the redirect)

What am I doing wrong?

thanks!

EDIT 1:

For now, I found a quick hack. I added this in SessionsController#new

if params[:user]
  flash[:alert] = "Incorrect login or password"
end

Not very elegant but at least, I have something.

Solution

  • Your flash message is not going to be set because Devise::SessionsController#create calls warden for the authentication which, in case of failures, will call Devise::FailureApp. Your controller never handles the failure scenarios.

    If you want a custom message, you can customize the failure app for that, there are some articles in the Devise wiki explaining how to do so.

    But in general, you can customize your failure messages via I18n and there is probably a better way to achieve what you want without a need to override Devise controllers.