Devise_token_auth Reset Password Flow 401 Error

6
votes

I'm trying to build a rails API and I'm using devise_token_auth gem for user authentication using tokens.

I managed to set everything up correctly and just bumped into a problem. Whenever I try to reset my password I get a 401 Unauthorized error from the API.

The flow is as follows:

  1. The user clicks the "Forgot my Password" button
  2. The user is redirected to a front-end app with a form to insert its' email
  3. The front-end app makes a POST request to the API 'auth/password' with the email and redirect_url params
  4. the API responds to this request by generating a reset_password_token and sending an email to the email address provided within the email parameter
  5. the user clicks the link in the email, which brings them to the 'Verify user by password reset token' endpoint (GET /password/edit)
  6. this endpoint verifies the user and redirects them to the redirect_url
  7. this redirect_url is a page on the frontend which contains a password and password_confirmation field
  8. the user submits the form on this frontend page, which sends a request to API: PUT /auth/password with the password and password_confirmation parameters
  9. the API changes the user's password and responds back with a success message

My problem occurs between step 8 and 9, where I get a 401 Unauthorized response. Why is that? What can I do to solve this issue?

EDIT:

From the documentation and threads regarding this issue, I realized it has to do with headers. I do not know, however, how to manage headers on a request using Ruby on Rails.

EDIT2:

I managed to figure out where the problem lies. I need to pass access-token, client and uid as headers. I have access to that information and I'm trying to set the request headers by doing the following:

http = Net::HTTP.new("127.0.0.1", "3000")
request = Net::HTTP::Put.new("/api/v1/auth/password")

request.add_field('uid', @@sens_pms["uid"])
request.add_field('client', @@sens_pms["client_id"])
request.add_field('access-token', @@sens_pms["token"])

response = http.request(request)

However, a new problem came up when I do this. The server (API) application throws the following error:

ActionDispatch::Cookies::CookieOverflow (ActionDispatch::Cookies::CookieOverflow)

Important information: I'm doing this in a development environment (no nginx, just webrick)

2
ruby-on-railsapiauthenticationdevise
Thanks for "EDIT2" above - I was having the same issue. Its not very clear in the documentation that these have to be sent along as headers as well as POST params. Unfortunately I dont know the library youre using well enough to know what problem youre having forming those headers. I use getpostman.com which trivializes sending headers, etc. - Todd

2 Answers

2
votes

Ok so actually i overcame

You must fill out the fields labeled 'Password' and 'Password confirmation

I did update header with

'Authorization': 'Basic ',
'Content-Type' : 'application/json', 
"token-type"   : 'Bearer', 
'access-token' : token,
'expiry':'XXXXX',
'client':'XXXXX',      
'uid':'XXXXX',
0
votes

Requesting a password change through devise_token_auth:

  • url: /auth/password,
  • method: PUT,
  • data: password, password_confirmation,
  • headers: access-token, client, uid.