Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorized Users Only on iOS client #792

Closed
tghsoftdev opened this issue Dec 15, 2016 · 10 comments
Closed

Authorized Users Only on iOS client #792

tghsoftdev opened this issue Dec 15, 2016 · 10 comments

Comments

@tghsoftdev
Copy link

tghsoftdev commented Dec 15, 2016
edited
Loading

I have an android and web clients using retrofit that work perfectly but my iOs client is giving me "Authorized Users Only", I presume the problem occurs after doing batch requests.

I've tried using Swift 2 native NSURLRequests and Alamofire but I'm still recieving the error message.

The API was built using Devise 4.2, Devise Token Auth 0.1.39, Ruby 2.3.1 and Rails 4.2.7.1 using token authentication.

After I log in and get the user credentials I randomly get "Authorized Users Only" when doing requests. I'm sending the following headers on every request:

HEADERS: ["content-type": "application/json", "Token-Type": "Bearer", "Uid": "carrier01@example.com", "accept": "application/json", "connection": "keep-alive", "Expiry": "1483034285", "Access-Token": "K4dVv2F6AZW78CW1scrF6w", "Client": "_l5mGyZqt5n15W6Val9g2g"]

I'm storing access-token, token-type, uid and client on every response and sending them when doing a new request. Except when I do batch requests, then I keep the lastest headers and work with those until I recieve a new ones.

For example:
Request 1:

POST: http://192.168.0.103:3000/api/v1/auth/sign_in
HEADERS: ["content-type": "application/json", "accept": "application/json", "connection": "keep-alive"]

Response 1:

STATUS CODE: 200
HEADERS: [Content-Type: application/json; charset=utf-8, Uid: carrier01@example.com, X-Runtime: 1.046672, X-Xss-Protection: 1; mode=block, Server: WEBrick/1.3.1 (Ruby/2.3.1/2016-04-26), Token-Type: Bearer, Cache-Control: max-age=0, private, must-revalidate, Date: Thu, 15 Dec 2016 18:25:41 GMT, X-Request-Id: 09959fa3-197b-4232-b741-e75d3ca4b369, Content-Length: 265, Access-Token: 6jWZ0SHzHc25McL1ay_hdw, Expiry: 1483035941, Connection: Keep-Alive, X-Content-Type-Options: nosniff, Client: 0u5JvBb416zQOgK8p9ViyQ, X-Frame-Options: SAMEORIGIN, Etag: W/"c83336c4eb1f85e45272eeaa3dde38d1"]
SUCCESS: {
    //Data recived
}

Request 2:

GET: http://192.168.0.103:3000/api/v1/carriers/1
HEADERS: ["content-type": "application/json", "Token-Type": "Bearer", "Uid": "carrier01@example.com", "accept": "application/json", "connection": "keep-alive", "Expiry": "1483035941", "Access-Token": "6jWZ0SHzHc25McL1ay_hdw", "Client": "0u5JvBb416zQOgK8p9ViyQ"]

Response 2:

STATUS CODE: 200
HEADERS: [Content-Type: application/json; charset=utf-8, Uid: carrier01@example.com, X-Runtime: 1.350363, Set-Cookie: _rbricksgen_session=SkI5QTRDSlhFM3VMK2FXdVZaNWVnMmVudGNjbzFvdC9BeCt5a2lwOGlMdS90SElvL3ZHRmNsS1FIYlBWWkJ3RzAvaXpmKzYvcGVHQ25CLy93RG4xb2R6K1hBeGdzT052K1ZtMUFoSEVPUzgvZWRlREpic2RzeFdiY3NUT3YvclBObGJUZUlmNklqOVh2YStZWGNkZ2FMTEF3bzJ2K1FXeExnZU43K0RWOGFhN1dTc1loS2JORGRLUnF1MDhSZ2kxLS0yTmVpTVR0TkZvZVgrd2czRXVUamFnPT0%3D--2cc095e433c8fb966c05fc95c10a12a73b24415b; path=/; HttpOnly, Server: WEBrick/1.3.1 (Ruby/2.3.1/2016-04-26), Token-Type: Bearer, X-Xss-Protection: 1; mode=block, Cache-Control: max-age=0, private, must-revalidate, Date: Thu, 15 Dec 2016 18:25:46 GMT, X-Request-Id: 54843524-e058-4eb9-9c26-16db460fecc0, Content-Length: 1290, Access-Token: ZTPZaINKJJAUEz96QoqMNw, Connection: Keep-Alive, Expiry: 1483025457, X-Content-Type-Options: nosniff, Etag: W/"5c5264ee23833e1a3e9335dbca99bd94", X-Frame-Options: SAMEORIGIN, Client: _l5mGyZqt5n15W6Val9g2g]
SUCCESS: {
    //Data recived
}

Request 3:

GET: http://192.168.0.103:3000/api/v1/carriers/1/carrier_information
HEADERS: ["content-type": "application/json", "Token-Type": "Bearer", "Uid": "carrier01@example.com", "accept": "application/json", "connection": "keep-alive", "Expiry": "1483025457", "Access-Token": "ZTPZaINKJJAUEz96QoqMNw", "Client": "_l5mGyZqt5n15W6Val9g2g"]

Response 3:

STATUS CODE: 401
HEADERS: [Content-Type: application/json; charset=utf-8, X-Runtime: 0.231622, Set-Cookie: _rbricksgen_session=TGMvWW5EQThtLzZoQTJZVDMxUzBuZEU1cktiN1RJMDQ5OWNmeklUa1g1WW83MUVaZUk3VXNxSG0vY3lVRXl1eWwydkhTV212akkzbE8ydWFaRmtVVm5RZjYwbEZac084THlNTUNpSmE0bXQ3cmtLaFNUMXdRelRYK3FJdUJ2eFVubGVEOFVPS2ZvYk80TE4xdHYyYURSSTVxdXlNNXRVZ1gzVUY2SEtlYURlZWU3ZnEzSnFmTFBPNFBqcmZLMWxvLS1ETmZXdktCb0FNYnU5cTJPTThUcTFBPT0%3D--1fe4e25a77f2121acfcb5004f26e4da818ba7bee; path=/; HttpOnly, Server: WEBrick/1.3.1 (Ruby/2.3.1/2016-04-26), X-Xss-Protection: 1; mode=block, Cache-Control: no-cache, Date: Thu, 15 Dec 2016 18:25:48 GMT, X-Request-Id: 9eb16cc3-acf7-438a-9fe8-e14917f2f4e3, Content-Length: 37, Connection: Keep-Alive, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN]
SUCCESS: {
    errors =     (
        "Authorized users only."
    );
}

Am I doing something wrong? I hope you could help me, this just happen on iOS.
@iduuck
Copy link

iduuck commented Jan 5, 2017

+1

@iduuck
Copy link

iduuck commented Jan 5, 2017

@tghsoftdev Is this fixed, yet?

@tghsoftdev
Copy link
Author

@iduuck no, I still have this problem and couldn't find a solution yet. Do you have this problem too?

@iduuck
Copy link

iduuck commented Jan 6, 2017

@tghsoftdev Yeah I have it too...

@xpiero xpiero mentioned this issue Jan 23, 2017
Closed
@augustosamame
Copy link

+1

1 similar comment
@derotune
Copy link

+1

@tghofereira
Copy link

I managed to fix it but changing file manually, if they don't update this issue, in furthest versions it has to be done again!

It works on IOs and Android

route: ../app/controllers/devise_token_auth/concerns/set_user_by_token.rb

  • Change was made in line where is commented #change made here

before --->

def update_auth_header
# cannot save object if model has invalid params
return unless @resource && @resource.valid? && @client_id

# Generate new client_id with existing authentication
@client_id = nil unless @used_auth_by_token

if @used_auth_by_token && !DeviseTokenAuth.change_headers_on_each_request
  # should not append auth header if @resource related token was
  # cleared by sign out in the meantime
  return if @resource.reload.tokens[@client_id].nil?

  auth_header = @resource.build_auth_header(@token, @client_id)

  # update the response header
  response.headers.merge!(auth_header)

else

  # Lock the user record during any auth_header updates to ensure
  # we don't have write contention from multiple threads
  @resource.with_lock do
    # should not append auth header if @resource related token was
    # cleared by sign out in the meantime
    return if @used_auth_by_token && @resource.tokens[@client_id].nil?

    # determine batch request status after request processing, in case
    # another processes has updated it during that processing
    @is_batch_request = is_batch_request?(@resource, @client_id)

    auth_header = {}

    # extend expiration of batch buffer to account for the duration of
    # this request
    if @is_batch_request
      auth_header = @resource.extend_batch_buffer(@token, @client_id)

    # update Authorization response header with new token
    else
      auth_header = @resource.create_new_auth_token(@client_id)

      # update the response header
      response.headers.merge!(auth_header) #change made here
    end

  end # end lock

end

end

<--------

after --->

def update_auth_header
# cannot save object if model has invalid params
return unless @resource && @resource.valid? && @client_id

# Generate new client_id with existing authentication
@client_id = nil unless @used_auth_by_token

if @used_auth_by_token && !DeviseTokenAuth.change_headers_on_each_request
  # should not append auth header if @resource related token was
  # cleared by sign out in the meantime
  return if @resource.reload.tokens[@client_id].nil?

  auth_header = @resource.build_auth_header(@token, @client_id)

  # update the response header
  response.headers.merge!(auth_header)

else

  # Lock the user record during any auth_header updates to ensure
  # we don't have write contention from multiple threads
  @resource.with_lock do
    # should not append auth header if @resource related token was
    # cleared by sign out in the meantime
    return if @used_auth_by_token && @resource.tokens[@client_id].nil?

    # determine batch request status after request processing, in case
    # another processes has updated it during that processing
    @is_batch_request = is_batch_request?(@resource, @client_id)

    auth_header = {}

    # extend expiration of batch buffer to account for the duration of
    # this request
    if @is_batch_request
      auth_header = @resource.extend_batch_buffer(@token, @client_id)

    # update Authorization response header with new token
    else
      auth_header = @resource.create_new_auth_token(@client_id)

      # update the response header

    end

      response.headers.merge!(auth_header) #change made here

  end # end lock

end

end

<--------

@bartes
Copy link

bartes commented Apr 13, 2017

I guess here is the fix: #703

@zachfeldman
Copy link
Contributor

Waiting on #703 to be merged

@zachfeldman
Copy link
Contributor

#703 has been merged! Try pointing to master to try it out. Closing this for now but feel free to reopen if this didn't fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@bartes @iduuck @zachfeldman @derotune @tghofereira @augustosamame @tghsoftdev