uninitialized constant Devise::Models::TokenAuthenticatable #2739
Comments
|
|
|
All the examples in the readme for doing token authentication refer to using TokenAuthenticatable, e.g., this gist. How do we do token authentication without TokenAuthenticatable? |
|
@moneypenny I think you wanted to say in wiki not in readme. The wiki is maintained by the community. So if there aren't any up to date instructions, we recommend you to explore the solution yourself and hopefully contribute your findings back! |
|
Correct! I meant this wiki page. |
|
@moneypenny The wiki page mentions it was removed and contains a link to a gist that can be used as starting point! |
|
@josevalim it was @moneypenny who updated it just now :) |
|
Oops, awesome! THanks @moneypenny ! |
|
Thanks @DBNess for the reference! |
|
I think token-auth is a helpful feature for mobile device login(QRcode together), and i can't understand why to remove the feature, for safety reason? |
|
Yes. See the plataformatec blog post for more info. |
|
Is it possible to fix the old TokenAuthenticatable strategy? I used https://gist.github.com/josevalim/fb706b1e933ef01e4fb6 as a starting point to create my own Warden authentication strategy and the necessary Devise model. It was relatively easy and that got me wondering: As far as I understand, the key to prevent a timing attack is to use a constant time comparison for the token. In order to do so one must not use the token to perform a database lookup, but find some other means to retrieve a user candidate. If that is correct, couldn't TokenAuthenticatable be modified to incorporate a second parameter to perform the user lookup? Or is there other code in Devise which runtime (implictly) depends on the token param? |
|
@daniel-rikowski that is just one of the possible solutions. Besides requiring the e-mail. You could for example split the token in two, one which is looked up against the database and the other which you do secure compare against. I think when discussing the issue we had two more other options although I can't recall them exactly. Not only that, if you consider some people regard that timing attacks are not feasible, we have too many options for solving the same issue, so rolling your own is certainly easier (and easily implementable too). |
|
@daniel-rikowski Here's a pretty nice writeup. It may help http://www.soryy.com/ruby/api/rails/authentication/2014/03/16/apis-with-devise.html |
|
^ that link didn't work for me, but was able to find it here: http://www.soryy.com/blog/2014/apis-with-devise/ |
- Upgrade to rails 4.2 - Upgrade devise - remove token authentication as it is not supported by the devise heartcombo/devise#2739 - Add devise secret token - Signout by default now uses delete instead of get so need to change that back to get - Model level changes - Rails update scopes to use lambda expressions - Added protected attributes gem - Removed attributes accessor - Controller level changes - Added strong parameters in startup - Config level Changes - Added eager load options - Rails config file rewrite - remove assets groups - Set log level to info in production - set css and js compressors - Added asstes precompiler - remove assets groups - Route Changes - Lot of conflicting routes are fixed with http verb in front of them - Views fix - Slim fixes at app/views/proposals/_form.html.slim - id was missing at app/views/users/_index.html.slim - Javascript fixes - Needed to manually add jquery 1.4 - Hacks - Primary key issue https://stackoverflow.com/questions/33742967/primary-key-issue-with-creating-tables-in-rails-using-rake-dbmigrate-command-wi - Last comment issue https://stackoverflow.com/questions/35893584/nomethoderror-undefined-method-last-comment-after-upgrading-to-rake-11 - To fix - JS works fine on dev not on prod - Changes to all controllers to support strong parameters
- Upgrade to rails 4.2 - Upgrade devise - remove token authentication as it is not supported by the devise heartcombo/devise#2739 - Add devise secret token - Signout by default now uses delete instead of get so need to change that back to get - Model level changes - Rails update scopes to use lambda expressions - Added protected attributes gem - Removed attributes accessor - Controller level changes - Added strong parameters in startup - Config level Changes - Added eager load options - Rails config file rewrite - remove assets groups - Set log level to info in production - set css and js compressors - Added asstes precompiler - remove assets groups - require rails all - Route Changes - Lot of conflicting routes are fixed with http verb in front of them - Views fix - Slim fixes at app/views/proposals/_form.html.slim - id was missing at app/views/users/_index.html.slim - Javascript fixes - Needed to manually add jquery 1.4 - Hacks - Primary key issue https://stackoverflow.com/questions/33742967/primary-key-issue-with-creating-tables-in-rails-using-rake-dbmigrate-command-wi - Last comment issue https://stackoverflow.com/questions/35893584/nomethoderror-undefined-method-last-comment-after-upgrading-to-rake-11 - To fix - JS works fine on dev not on prod - Changes to all controllers to support strong parameters
I have devise on my app and it works fine locally. When I try to deploy it to my server from github, I get the following error: "uninitialized constant Devise::Models::TokenAuthenticatable"
I haven't been able to find any documentation on how to fix it. Any ideas?
The text was updated successfully, but these errors were encountered: