Devise Google Group

Timeout not working unless the page remains open

2013-05-24T17:51:38Z

Hello,
I'm seeing some strange behaviour on a Rails 3.2.13 app using Devise 2.2.3.
The User model has the following Devise options:
devise :database_authenticatable, :lockable, :recoverable, :trackable,
config.timeout_in is commented out in devise.rb so it should be using the
default of 30 minutes.

Is there a better way to hook in a second authentication factor?

2013-05-24T11:05:23Z

Hi,
I have been using home-grown sms-to-phone second factor authentication for
the past two years. I got a bug up my --- and wanted to improve my
two-factor support. I have been trying to find a a solid way to integrate
with Devise but coming up short.
I interpret the Warden docs to mean that it will fail or succeed on the

Re: get current_user or user_signed_in? without redirect after session time out

2013-05-21T00:58:10Z

Hi All,
I've ran into the same issue and worked around the problem by calling the
http_auth method on timeout failure.
class AuthenticationFailureApp < Devise::FailureApp
def redirect
message = warden.message || warden_options[:message]
if message == :timeout && scope == :user
http_auth

Re: [devise] Re: Notifying the user whether the password or the email was incorrect after a failed login

2013-05-20T15:51:01Z

Actually, this turned out to be as simple as updating devise.en.yml.

en:
devise:
failure:
invalid: That password appears to be incorrect.
not_found_in_database: "There doesn't appear to be a user with
that email address."

Re: [devise] Re: Notifying the user whether the password or the email was incorrect after a failed login

2013-05-20T14:25:26Z

override method `find_or_initialize_with_error s`

Thank you, Vasiliy.

Thank you for pointing that out, Andreo. However, Devise alone doesn't
block against user enumeration even in paranoid mode
([link]).

Re: Notifying the user whether the password or the email was incorrect after a failed login

2013-05-20T08:55:50Z

The reason why devise does this has to do with the attacker not being able
to know if he got any of the parameters right, reducing the time of
guessing by brute-force attacks/dictionary attacks to half. especially if
he finds out one password and then he can get a way of getting all the
users emails and try them all out. if you really want to implement this

Re: [devise] Notifying the user whether the password or the email was incorrect after a failed login

2013-05-17T14:37:03Z

Hi,

I think right not it can't be configured. The only way I see is to
override method `find_or_initialize_with_error s`
([link])
and fill it with your own logic:

class User < AR::Base

Notifying the user whether the password or the email was incorrect after a failed login

2013-05-17T14:02:03Z

Hello,

Someone sent me a Mailchimp blog post
([link]) that
shows that they were able to dramatically reduce failed logins by
telling the user which was incorrect: the email or the password.
Devise takes the position that it is more secure to obscure this (even

Re: [devise] Notification on registered user

2013-05-16T01:45:44Z

I think the primary one that anyone would want to track with analytics is
user registrations ... perhaps that's just an after_create on user, but it
seems to make much more sense to do it as an AS::Notification on the devise
controller method.

Re: [devise] Notification on registered user

2013-05-16T01:11:18Z

Depends on what pieces of code you want to wrap with AS::Notifications, but
in general it can be pretty easy.

Re: [devise] Notification on registered user

2013-05-16T00:47:44Z

Is there any simple way to wire ActiveSupport::Notifications into Devise?

Re: [devise] user id from the devise session

2013-05-15T19:26:21Z

oops, yes, thanks, god I'm stupid sometimes

Re: [devise] user id from the devise session

2013-05-15T19:18:36Z

Could you try current_user.id ? That would seem to be the canonical way to do this.

Walter

user id from the devise session

2013-05-15T19:12:37Z

In my Rails app with Devise, I'm making some home-made analytics that
works, in part, the following way. If a user visits another user's profile,
the show action of the user's profile checks whether the visitor is a
registered user and, if so, it saves the user_id of the visitor to the
database.

Re: [devise] Collecting the #{user}_return_to value to save it in my user model and redirect user to this url aft

2013-05-15T17:48:06Z

Please see my answer on SO - [link]

Collecting the #{user}_return_to value to save it in my user model and redirect user to this url aft

2013-05-15T17:26:33Z

I want to collect the url the users requested before signing up. Devise
remember this URL and send the user to it after registration.
To do so i tried to call after_sign_up_path_for(resourc e) in the create
method of my overrided registration controller.
Problem is that devise immediatly erase the value after it has been called,

redirect back to last get request after timeout causes extra 401 redirect

2013-05-15T13:25:20Z

Hi,

If a user submits a page (POST/PUT) after his timeout expired, he will have
to login again. After that he will be redirected to the page he came from.
This is done by the #store_location!() method and only works for GET
requests. So, I expect to be redirect to the last :new or :edit action of

Re: legacy tables & password encryption

2013-05-14T11:36:37Z

I have actually decided to go with the first option since the second did
not reveal to be as easy as should and the first one is well documented and
works.
but to do the first I have to put a setting configuration:
config.apply_schema = false devise
which I am really familiar with what it does and what kind of changes it

Devise with config.session_store :disabled

2013-05-13T17:00:33Z

Hi,
Disclaimer : Sorry if this problem should not be created here. I don't know
if it is more relevant to post it on the `warden` repository.
Anyway I am using devise 2.2.3 and am building a RESTful API (stateless),
so I don't need to store any session. Thefore I have disabled them by
defining in `config/initializers/session_s tore.rb` :

legacy tables & password encryption

2013-05-13T12:30:07Z

Hello,
I am an app running on rails 3.0.20 which uses its own custom
authentication system. The database is in postgres and I am trying to
implement devise 1.5.4. which is the most suitable version for my app.
Since the passwords where being stored with Digest::SHA1.hexdigest(string)
which is not regress able, I would need to keep the passwords(we have more

Re: [devise] blogpost about devise with rails 4

2013-05-12T23:52:40Z

Thanks, I also added this to the gemfile
gem 'devise', '3.0.0.rc'

Re: [devise] blogpost about devise with rails 4

2013-05-12T23:42:35Z

Since it's a pre release version, Rubygems won't install it without the
explicit version (it's
3.0.0.rc<[link]>and not
3.0.0rc1) or you can just use `gem install devise --pre` instead.

On Sun, May 12, 2013 at 8:39 PM, Prizefighter <michaeljohnmitch...@gmail.com

blogpost about devise with rails 4

2013-05-12T23:39:09Z

I read this blog post about the version of Devise compatible with Rails 4
[link]
but I can't get Devise 3.0 installed. When I do gem install Devise, it
installs
*devise-2.2.4.gem (100%) *
*
*
*I tried to do*
*
*
Fetching: devise-2.2.4.gem (100%)

How to have single sign-in form for two devise models

2013-05-12T19:25:17Z

I have two devise models.
devise_for :contractors
devise_for :customers
To make it easier for the users and also cleaner on the frontend. I wish
one sign in form in my navbar through both customers and contractors can
sign in.
So, i am wondering, how to do that ? Should I have override devise's
session controller? If so how. I could have sign in for one devise model

how to invite cross scope devise

2013-05-09T23:24:31Z

i have 3 scopes , :user , :tenant , :client . Now i dont want :tenant and
both :tenant and :client . I also want :user to invite both :client and
in :user model . With devise_invitable I only able to invite users who are
already a user, this is not what i want. i want to invite cross :scope
members . How can i ? Please give me some idea .

Re: [devise] use old version of devise (1.1.7) on ruby 1.9.3 and rails 3.2.11

2013-05-09T19:58:08Z

I want to copy secrete token and cookie store name from the old app to the
new one. And that's approach works if I use the same devise version. But I
need to use 1.1.7 from the old app for sure.

Re: [devise] use old version of devise (1.1.7) on ruby 1.9.3 and rails 3.2.11

2013-05-09T15:34:06Z

What mechanism are you using to do the SSO? I went through this hassle last year, ended up using a custom OmniAuth provider in a third central Rails app to manage the identities. It was far from ideal.

Walter

use old version of devise (1.1.7) on ruby 1.9.3 and rails 3.2.11

2013-05-09T14:54:12Z

I need to integrate old app which use devise 1.1.7 and rails 3.0.4 with
modern app based on rails 3.2.11 via SSO.
Anybody could advice how to do that? Currently when I try to open the page
on the new app, I get the following exception:
Started GET "/" for 127.0.0.1 at 2013-05-09 19:20:49 +0530

Store the data drom "user_return_to" when a user register.

2013-05-08T14:16:38Z

My rails app (3 with devise 2.2 and pg as DB) use Devise for
authentication. The whole app require for user to be logged-in.
When a new user request myapp.com/category/:c_id/produ ct/:p_id/, devise
redirect it to the register/log-in devise page.
Once the user is registered, he is redirected to the page he originally

Unable to be authenticated by devise after a successful login

2013-05-07T20:20:24Z

Setup:
I have a model named MyModule::User
devise_for :users, :class_name => "MyModule::User", :path_prefix => '/',
I'm using active_admin.
Scenario:
Ok, if I login, I can step through Devise::SessionsController#cre ate, and
at the end of that method (I'm using a debugging), I can issue a call to:
current_user(), which returns my user! Ok, good. I'm logged in... at least,

Re: [devise] change redirect path after account confirmation

2013-05-07T17:20:24Z

Was a solution for this ever found?
I tried many of the suggestions here - and they don't work for me.
Specifically, here are more details about what I have done and what's not
working
- [link]

Re: [devise] Re: How to associate multiple emails for a single user in rails Devise

2013-05-06T15:38:15Z

Hey,

I think this is something related to your problem:
[link]

On Mon, May 6, 2013 at 6:35 PM, Quazi Marufur Rahman

Re: How to associate multiple emails for a single user in rails Devise

2013-05-06T15:35:49Z

Any suggestions about how can I implement this?

Re: [devise] Extension to prevent session hijacking when sharing a session between http and https

2013-05-06T02:11:03Z

Hello José,

Thanks for looking into this. The main thing we wanted to do is have a shared session among the http/https pages, so we can change elements of the page depending whether you're logged in or not and pass around information. I guess we could have created another cookie which mimics a separate insecure login (i.e. not using devise for that - or a separate user in devise) - but that seems quite a lot of effort.

How to associate multiple emails for a single user in rails Devise

2013-05-05T15:20:40Z

Hi
I came to know about this group after posting my question in stackoverflow.
Without cross posting, I am sharing SO question link here.
[link]
It is about *How to use multiple email address for a single user.*

Re: Extension to prevent session hijacking when sharing a session between http and https

2013-05-04T16:34:23Z

Hello Michael,
I am wondering: what would happen if you set the session cookie to be only
https? Then it wouldn't work on http pages and only https. If you need to
store any information on http pages, you could create extra "unsafe"
cookies and rely on them instead.
I haven't tried what I just proposed so it may not work at all. :) If this

Re: Creating an auth token on sessions#create

2013-05-04T16:28:03Z

The token authentication is meant to be used for API access and not as a
quick-to-discard token.
So you can either come up with your own token or clean up the token
authentication.
I would suggest your own token since the token authenticable would still
work when you have your own API.
Also, if you are accessing it directly from the browser, you could just use

Re: [devise] Devise with many user flows

2013-05-04T16:15:02Z

Since you're using your own controller already, you can organize your
multiple flows in any way you want. You can make a specific action for your
recommendation code URL and handle the commitment logic in your model
validations and with some JavaScript to hide/show the fields in your form.

If you controller ends up too big you might want to extract the code to new

Re: Rails 3 Overriding Devise Mailer Issues

2013-05-03T11:01:58Z

Hi Dennis,
I don't know if your problem is still existent, but if:
I think, you are the one who made Rails send the message twice...
With changing the Mailer-methods to use the mandrill API you are sending
the mail. And at the end
of your method you call "super", what just leads to a regular call of the

Devise with many user flows

2013-05-02T16:42:58Z

Hi,
I am building an app were users can sign up via email, twitter or github
(using omniauth), they can while doing this also use a campaign code,
invite code or a recommendation code. The codes are part of a link emailed
to the users, so there are no "if you have a code please enter it here"
stuff. It's all handled in the registrations controller. Users can also

Re: [devise] Prevent the updated_at field in User to get modified while signing in using devise

2013-05-02T15:10:43Z

What modules are you using? Such behaviour is done by the hooks that Devise
adds to Warden based on the modules/strategies you are using. Check the
files at
[link]
for
more.

Prevent the updated_at field in User to get modified while signing in using devise

2013-05-02T08:59:24Z

Hey,
i noticed that on each sign_in/sign_out the updated_at field from the user
gets modified. Is there a possibility to suppress/change this behavior ? i
could not figure out where this happends in the devise code....
thanks,
Kalle

Re: [devise] Accessing other user accounts

2013-05-01T17:38:40Z

Hello Michael,

Your suggested code change of "current_user" worked as expected. Now I can
understand why the behavior I was seeing earlier was obvious, and what a
silly mistake I was making.

Certainly, will go through Michael Hartl's tutorial.

Thanks,
Rajmohan

On Wed, May 1, 2013 at 11:14 AM, Michael Kaiser-Nyman

Re: [devise] Invalid confirmation token

2013-05-01T14:32:07Z

Sorry, a typo in my last message, it should be Rails 3.2.13!

Re: [devise] Invalid confirmation token

2013-05-01T14:31:10Z

we're using devise 2.2.3, devise-async 0.7 and rails 3.2.11
i am not sure if the tokens are different, because when the user clicks the
link i don't know what user it is as it cannot find the user object based
on the token.
if i take the token from the error i can't find a user manually based on

Re: [devise] Accessing other user accounts

2013-05-01T05:44:25Z

Hey Rajmohan. It sounds like you might not totally be clear on how
authentication and authorization work. It can be tough to understand how to
properly use an authentication gem like Devise if you haven't rolled you
own auth before. Michael Hartl's Rails Tutorial has an awesome, in-depth
guide on how to write your own auth

Extension to prevent session hijacking when sharing a session between http and https

2013-05-01T05:43:02Z

Hi everyone,
For a project, we're sharing a session between http and https. The http
part of the site is mainly for display, any operations are secured by
https. So I wrote a little devise extension to create an extra SSL-only
cookie which is used to prevent session hijacking. The idea is that all

Creating an auth token on sessions#create

2013-05-01T05:36:05Z

I'm moving an app using Devise from plain old Rails to Rails API +
Ember.js, and so I'm switching from "regular" Devise to using an
authentication token. POSTing an email and password to /users/sign_in
successfully authenticates me and, thanks to Devise's respond_with, returns
the user as JSON including the auth token, which I can use to authenticate

Re: [devise] Accessing other user accounts

2013-04-30T18:09:20Z

Thanks Lucas. But I am using a vanilla users controller and from their I
access all the articles created by that current_user. Once I login as
user1, I see all articles of user1 at the url [link].
Now I just go to the title bar in the browser and change the id from 1 to 2

Re: [devise] Invalid confirmation token

2013-04-30T17:33:57Z

What gem versions are you using (Rails, Devise, Devise-async), and how the
token that is used in the links is different from the one that is present
in your database? They are blank or the tokens aren't the same?

Unfortunately you might need to supply more details about your Rails
application and infrastructure so we can try to help you out.