Devise warden 401 Unauthorized when wrong credentials

Question

I have a quite standard Devise login procedure with:

View:

resource_name, :url => session_path(resource_name)) do |f| %>

<%= f.input :password, input_html: {class: "span6"} %>

<% if devise_mapping.rememberable? -%>
    <p><%= f.check_box :remember_me %>&nbsp;&nbsp;&nbsp;Remember me</p>
<% end -%>

<input type="hidden" name="after_sign_in_page" value="<%=@after_sign_in_page%>">
<p><%= f.submit "Sign in", class: "btn btn-success" %></p>

And I just created a sessioncontroller to downcase the email:

class SessionsController < Devise::SessionsController

  def create
    params[:user][:email].downcase!
    super
    logger.debug "Errors: #{resource.errors}"
  end

A login with good credentials happens fine.

With wrong credentials, It redirects to the sign-in page with this log:

Started POST "/users/sign_in" for 127.0.0.1 at 2013-01-10 09:59:44 +0100
Processing by SessionsController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"8eytQkr20JOOOdDvpCWakbmUzNoaHMxK9/BSEVxETik=", "user"=>{"email"=>"nicolas@demoreau.be", "password"=>"[FILTERED]", "remember_me"=>"0"}, "after_sign_in_page"=>"", "commit"=>"Sign in"}
Time zone: (GMT+00:00) UTC, current area: , user to register: , current controller: sessions
Completed 401 Unauthorized in 69ms
Processing by SessionsController#new as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"8eytQkr20JOOOdDvpCWakbmUzNoaHMxK9/BSEVxETik=", "user"=>{"email"=>"nicolas@demoreau.be", "password"=>"[FILTERED]", "remember_me"=>"0"}, "after_sign_in_page"=>"", "commit"=>"Sign in"}
  Rendered devise/sessions/_new.html.erb (17.8ms)
  Rendered devise/sessions/new.html.erb within layouts/application (19.7ms)
  Rendered layouts/_header.html.erb (66.1ms)
Completed 200 OK in 173ms (Views: 98.3ms | ActiveRecord: 0.9ms)

Apparently the 401 is dropped by Warden but I couldn't figure out why. The user is correctly redirected back to the login page but there is no error message displayed (which is normal as they are wiped out by the redirect)

What am I doing wrong?

thanks!

EDIT 1:

For now, I found a quick hack. I added this in SessionsController#new

if params[:user]
  flash[:alert] = "Incorrect login or password"
end

Not very elegant but at least, I have something.

Answer 1

Your flash message is not going to be set because Devise::SessionsController#create calls warden for the authentication which, in case of failures, will call Devise::FailureApp. Your controller never handles the failure scenarios.

If you want a custom message, you can customize the failure app for that, there are some articles in the Devise wiki explaining how to do so.

But in general, you can customize your failure messages via I18n and there is probably a better way to achieve what you want without a need to override Devise controllers.

Answer 2

First of all, let me advice you against overriding Devise controllers:

1. In this case, Devise takes care of transforming the email to lower case for you, so there's really no need to overwrite the create method.
2. Your app will support Devise updates seamlessly if you stick to the standard.

Also, Devise should set a flash error automatically, make sure you're displaying it in your view.

The status code 401 is just a standard response for unauthorized requests.

401 Unauthorized is similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided

http://en.wikipedia.org/wiki/List_of_HTTP_status_codes

You should definitely consider dropping your custom controller,

Cheers

Answer 3

I agree with jassa, just update your Devise version (with bundle update devise).

Case insensitive emails are already present in Devise, just make sure you have this config:

# devise.rb
Devise.setup do |config|
  config.case_insensitive_keys = [:email ]
end

In any case, since you seem to be missing some flash messages and this config, perhaps it would better if you just re-ran the generator:

rails generate devise:install

You should then let Devise overwrite some files, just make sure you backup yours first.