User can't be saved. Keep getting 422 error

[codeundercoverdev]

I am trying to use simple_token_authentication on top of devise for both a web app and an api. Here are the routes:

Rails.application.routes.draw do
    devise_for :users
    namespace :api, defaults: { format: :json } do
        devise_for :users, controllers: {registrations: "registrations"}, :defaults => { :format => :json }
    end
end

Here is the registrations controller:

class RegistrationsController < Devise::RegistrationsController  
    respond_to :json
end  

Here is my ajax command:

$.ajax({
  type: "POST",
  url: 'http://localhost:3000/api/users',
  data: JSON.stringify({user: {email: 'demouser@demo.com', password: 'password', password_confirmation: 'password'}}),
  dataType: "json",
  contentType: "application/json; charset=utf-8"
});

The command returns a 422-unprocessable entity error with the following body:

"{"errors":{"email":["can't be blank"],"password":["can't be blank"]}}"

Here are the logs:

Started POST "/api/users" for ::1 at 2016-08-12 17:45:17 -0400
Processing by RegistrationsController#create as JSON
  Parameters: {"user"=>{"email"=>"demouser@demo.com", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}, "registration"=>{"user"=>{"email"=>"demouser@demo.com", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}}}
Can't verify CSRF token authenticity
   (0.0ms)  begin transaction
   (0.0ms)  rollback transaction
Completed 422 Unprocessable Entity in 4ms (Views: 1.3ms | ActiveRecord: 0.1ms)

Why is this happening? How do I create a user through the api?

[gonzalo-bulnes]

Hello @codeundercoverdev,

The authenticity token is a mechanism to prevent cross-site request forgeries (CSRF) and is not related with authentication (which involves an authentication token). You'll find more details in this question and the CSRF documentation in the Rails guides.

I'll close this issue, don't hesitate to ask more questions in #37 if needed - keeping all the related question in the same thread makes easier to others to find them : )

[codeundercoverdev]

Hi @gonzalo-bulnes ,

Can you please reopen this issue? It has nothing to do with authenticity tokens as in my application controller I disable the authenticity token:

class ApplicationController < ActionController::Base
  # include DeviseTokenAuth::Concerns::SetUserByToken
  acts_as_token_authentication_handler_for User, fallback: :none, unless: lambda { |controller| controller.request.format.html? }
  # acts_as_token_authentication_handler_for User, if: lambda { |controller| controller.request.format.json? }
  skip_before_filter :verify_authenticity_token
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  # protect_from_forgery with: :exception, if: Proc.new { |c| !c.request.original_fullpath.start_with?('/api') }
  protect_from_forgery with: :null_session, if: Proc.new { |c| c.request.original_fullpath.start_with?('/api') }

end

[gonzalo-bulnes]

Hi @codeundercoverdev,

I still don't see the relation of the error with Simple Token Authentication... what happens if you remove entirely the acts_as_token_authentication_handler... lines?

If the same error still happens (I would be surprised if it didn't), then I would suggest trying to move the authenticity token verification skipping after the protect_from_forgery declaration, because ActionController callbacks use to be order-sensitive.

If the error doesn't happen anymore, then I am certainly missing something. In that case, please see this wiki article; it provides a systematic way to provide the context that is necessary to debug token authentication issues and will help you and me finding what we are missing.

[gonzalo-bulnes]

Hi @codeundercoverdev, any news on this issue?

[Jascha-Sundaresan]

I have this same problem.

the issue (as far as I can tell) is that the params being sent back to rails have the object data inside a key called "registration" while devise is looking for params inside a key called "user"

I have no idea why the params are being put inside "registration"