Devise Google Group

Re: get current_user or user_signed_in? without redirect after session time out

frank.trind...@gmail.com (Francisco Trindade) — Tue, 21 May 2013 00:58:10 UT

Hi All,
I've ran into the same issue and worked around the problem by calling the
http_auth method on timeout failure.
class AuthenticationFailureApp < Devise::FailureApp
def redirect
message = warden.message || warden_options[:message]
if message == :timeout && scope == :user
http_auth

Re: [devise] Re: Notifying the user whether the password or the email was incorrect after a failed login

dan...@populr.me (Daniel Nelson) — Mon, 20 May 2013 15:51:01 UT

Actually, this turned out to be as simple as updating devise.en.yml.

en:
devise:
failure:
invalid: That password appears to be incorrect.
not_found_in_database: "There doesn't appear to be a user with
that email address."

Re: [devise] Re: Notifying the user whether the password or the email was incorrect after a failed login

dan...@populr.me (Daniel Nelson) — Mon, 20 May 2013 14:25:26 UT

override method `find_or_initialize_with_error s`

Thank you, Vasiliy.

Thank you for pointing that out, Andreo. However, Devise alone doesn't
block against user enumeration even in paranoid mode
([link]).

Re: Notifying the user whether the password or the email was incorrect after a failed login

and...@benjamin.dk — Mon, 20 May 2013 08:55:50 UT

The reason why devise does this has to do with the attacker not being able
to know if he got any of the parameters right, reducing the time of
guessing by brute-force attacks/dictionary attacks to half. especially if
he finds out one password and then he can get a way of getting all the
users emails and try them all out. if you really want to implement this

Re: [devise] Notifying the user whether the password or the email was incorrect after a failed login

youn...@gmail.com (Vasiliy Ermolovich) — Fri, 17 May 2013 14:37:03 UT

Hi,

I think right not it can't be configured. The only way I see is to
override method `find_or_initialize_with_error s`
([link])
and fill it with your own logic:

class User < AR::Base

Notifying the user whether the password or the email was incorrect after a failed login

dan...@populr.me (Daniel Nelson) — Fri, 17 May 2013 14:02:03 UT

Hello,

Someone sent me a Mailchimp blog post
([link]) that
shows that they were able to dramatically reduce failed logins by
telling the user which was incorrect: the email or the password.
Devise takes the position that it is more secure to obscure this (even

Re: [devise] Notification on registered user

swro...@gmail.com (Stefan Wrobel) — Thu, 16 May 2013 01:45:44 UT

I think the primary one that anyone would want to track with analytics is
user registrations ... perhaps that's just an after_create on user, but it
seems to make much more sense to do it as an AS::Notification on the devise
controller method.

Re: [devise] Notification on registered user

lucastma...@gmail.com (Lucas Mazza) — Thu, 16 May 2013 01:11:18 UT

Depends on what pieces of code you want to wrap with AS::Notifications, but
in general it can be pretty easy.

Re: [devise] Notification on registered user

swro...@gmail.com (Stefan Wrobel) — Thu, 16 May 2013 00:47:44 UT

Is there any simple way to wire ActiveSupport::Notifications into Devise?

Re: [devise] user id from the devise session

michaeljohnmitch...@gmail.com (Prizefighter) — Wed, 15 May 2013 19:26:21 UT

oops, yes, thanks, god I'm stupid sometimes

Re: [devise] user id from the devise session

wa...@wdstudio.com (Walter Lee Davis) — Wed, 15 May 2013 19:18:36 UT

Could you try current_user.id ? That would seem to be the canonical way to do this.

Walter

user id from the devise session

michaeljohnmitch...@gmail.com (Prizefighter) — Wed, 15 May 2013 19:12:37 UT

In my Rails app with Devise, I'm making some home-made analytics that
works, in part, the following way. If a user visits another user's profile,
the show action of the user's profile checks whether the visitor is a
registered user and, if so, it saves the user_id of the visitor to the
database.

Re: [devise] Collecting the #{user}_return_to value to save it in my user model and redirect user to this url aft

youn...@gmail.com (Vasiliy Ermolovich) — Wed, 15 May 2013 17:48:06 UT

Please see my answer on SO - [link]

Collecting the #{user}_return_to value to save it in my user model and redirect user to this url aft

syla...@gmail.com (Sylario Syl) — Wed, 15 May 2013 17:26:33 UT

I want to collect the url the users requested before signing up. Devise
remember this URL and send the user to it after registration.
To do so i tried to call after_sign_up_path_for(resourc e) in the create
method of my overrided registration controller.
Problem is that devise immediatly erase the value after it has been called,

redirect back to last get request after timeout causes extra 401 redirect

jan.javi...@gmail.com (javinto) — Wed, 15 May 2013 13:25:20 UT

Hi,

If a user submits a page (POST/PUT) after his timeout expired, he will have
to login again. After that he will be redirected to the page he came from.
This is done by the #store_location!() method and only works for GET
requests. So, I expect to be redirect to the last :new or :edit action of