devise生产环境下的csrf和自定义字段


post报错:  can't verify csrf token authenticity


https://github.com/heartcombo/devise/issues/2734#issuecomment-275943762

 can't verify csrf token authenticity

I have this problem (with Rails 5 and nginx) but proxy_set_header X-Forwarded-Ssl on; is a partial solution at least when i am using facebook OAuth login with Omniauth (and devise) with error like:Can't verify CSRF token authenticity.
The solution is to use proxy_set_header X-Forwarded-Proto $scheme; instead of proxy_set_header X-Forwarded-Ssl on;

Nginx的配置加一条:
proxy_set_header X-Forwarded-Proto $scheme;

What is $scheme in nginx?
The server_name directive matches request URLs that have domain name www. old-name.com.
The rewritten URL uses two NGINX variables to capture and replicate values from the original request URL:
$scheme is the protocol (http or https) and $request_uri is the full URI including arguments.

devise增加自定义字段


    add_column :users, :name, :string

1. update sign-up form
view/devise/registration/new.html.erb

  <div class="field">
    <%= f.label :name %><br />
    <%= f.text_field :first_name, autofocus: true %>
  </div>

2. 更新edit profile form
view/devise/registrations/edit.html.erb

<h2>Edit <%= resource_name.to_s.humanize %></h2>

<%= form_for(resource, as: resource_name, url: registration_path(resource_name), html: { method: :put }) do |f| %>
  <%= devise_error_messages! %>

  <div class="field">
    <%= f.label :name %><br />
    <%= f.text_field :name, autofocus: true %>
  </div>

  <div class="field">
    <%= f.label :email %><br />
    <%= f.email_field :email, autofocus: true %>
  </div>

3. 覆盖devise controller
3.1 安全原因先要修改允许提交的参数

class ApplicationController < ActionController::Base
    # Prevent CSRF attacks by raising an exception.
    # For APIs, you may want to use :null_session instead.
    protect_from_forgery with: :exception

    before_action :configure_permitted_parameters, if: :devise_controller?

    protected

        def configure_permitted_parameters
            devise_parameter_sanitizer.permit(:sign_up, keys: [:username,:email,:password])
            devise_parameter_sanitizer.permit(:account_update, keys: [:username,:email,:password,:current_password])
        end
end

https://www.bogotobogo.com/RubyOnRails/RubyOnRails_Devise_Adding_User_Field_and_Customization_Update_Saved.php
阅读量: 85
发布于:
修改于: