I have tried numerous approaches, but Devise is fiercely resisting my attempts to allow users to log in without leaving the page they’re on, and then to submit the forms available on the site (blog commenting and profile updates).
Basically, the problem is that the CSRF tokens get out of sync because a user isn’t going through the authentication flow anticipated by Devise (it’s skipping through the “New” controller, whether Sessions or Registrations, straight to the “Create” controller).
Is anybody successfully handling AJAX login/registration features within the React On Rails framework with Devise (without going to a single-page framework where the routing is being handled by React Router)? Or, is anybody using ANY AJAX login/registration chains that work successfully with the built-in Rails CSRF handling? I’m not willing to just turn off forgery protection to get this to work.
Maybe upon first logging in, you should consider setting some value in memory or to a cookie, and then configure your ajax responses to send that.
Take a look at these notes:
There’s a lot of possible routes to explore in that conversation. Thanks.
I do need to clarify, though: the problem isn’t that I’m not able to grab the CSRF token and submit it with my AJAX requests. If I log in through the standard Devise login pipeline, going from the Sessions#New controller action through the #Create action, and then being redirected to whatever output page, I can grab the token that’s in my headers after that sequence and submit AJAX requests ad infinitum without problem.
But I want my users to be able to login without ever leaving the blog page they’re at. I can log them in by just hitting the #Create controller action in Devise, and depending on the implementation, they can submit AJAX requests on the comments form of the page they’re on but their session is actually broken, and if they go to another page, they aren’t logged in. (Somehow, even with a broken session, the comments are submitting. I still don’t fully understand why.)
So this is really just about understanding the process that Devise is doing of managing your session and CSRF tokens, and trying to supplant that behavior with bespoke code. But what Devise is doing is complicated, and I have my doubts that I will understand it all if I just read the code. (Though I’m trying – this has become an obsession.)
CRSF is part of Rails. You can turn that off.
You can create auth tokens to use with devise:
For future coders’ sake, I found that the instructions here worked with little modification:
Rails 4, Angular.js, CSRF and Devise
They’re intended for Angular users, but Axios by default uses the same combination of cookie/header that Angular uses, so that makes things easy. Some of the things in the code above cause Rails 4.2 to puke, but the solutions are all easily found in the Stack Overflow links that the author refers to, so that’s pretty sweet.
So that seems to wrap up an adventurous week or two. It’s interesting to me that lots of people seem to be rolling their own AJAX interfaces with Devise, and the Devise maintainers’ code comments would indicate they are well aware of this fact, but they provide no official guidance on best practices.