Ruby on Rails的設計OAuth的Facebook的OmniAuth ::策略:: OAuth2用戶:: CallbackError

林實施的OAuth登錄Facebook和制定並當自受理程序（彈出式）我得到以下錯誤返回：Ruby on Rails的設計OAuth的Facebook的OmniAuth ::策略:: OAuth2用戶:: CallbackError

莫非

不從Facebook驗證你的身份，因爲「Csrf檢測到」。

這是日誌：

Started GET "https://stackoverflow.com/users/auth/facebook/callback" for 127.0.0.1 at 2014-01-23 23:59:58 +0100 ActiveRecord::SchemaMigration Load (0.3ms) SELECT "schema_migrations".* FROM "schema_migrations" (facebook) Callback phase initiated. (facebook) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

我的用戶模型

class User < ActiveRecord::Base 
    devise :token_authenticatable, :database_authenticatable, :registerable, 
    :recoverable, :rememberable, :trackable, :validatable, :confirmable, 
    :omniauthable, :omniauth_providers => [:facebook] 
    before_save :ensure_authentication_token 

    has_one :user_settings 
    has_many :predictions 
    has_many :user_leagues 
    has_many :leagues, through: :user_leagues # this wasn't working, solution found: http://stackoverflow.com/questions/1781202/could-not-find-the-association-problem-in-rails 

    valid_email_regex = /\A[\w+\-.][email protected][a-z\d\-]+(\.[a-z]+)*\.[a-z]+\z/i 
    validates :email, format: { with: valid_email_regex } 

    validates :firstName, :lastName, :username, presence:true 
    acts_as_voter 

    def self.find_for_facebook_oauth(auth) 
     where(auth.slice(:provider, :uid)).first_or_initialize.tap do |user| 
     user.provider = auth.provider 
     user.uid = auth.uid 
     user.email = auth.info.email 
     user.password = Devise.friendly_token[0,20] 
     user.firstName = auth.info.name # assuming the user model has a name 
     # user.image = auth.info.image # assuming the user model has an image 
     user.save! 
     end 
    end 
end

我有我的Facebook ID和我在devise.rb

require "omniauth-facebook" 
    OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE if Rails.env.development? 
    config.omniauth :facebook, ENV["APP_ID"], ENV['FACEBOOK_SECRET']

祕密，我做通過javascript驗證

jQuery -> 
    $('body').prepend('<div id="fb-root"></div>') 

    $.ajax 
    url: "#{window.location.protocol}//connect.facebook.net/en_US/all.js" 
    dataType: 'script' 
    cache: true 

window.fbAsyncInit = -> 
    FB.init(appId: '123512341234', cookie: true) 

    $('#sign_in').click (e) -> 
    e.preventDefault() 
    FB.login (response) -> 
     #console.log(response) 
     window.location = '/users/auth/facebook/callback' if response.authResponse 

    $('#sign_out').click (e) -> 
    FB.getLoginStatus (response) -> 
     FB.logout() if response.authResponse 
    true

，並在包中的寶石列表安裝

rake (10.1.1) 
i18n (0.6.9) 
minitest (4.7.5) 
multi_json (1.8.4) 
atomic (1.1.14) 
thread_safe (0.1.3) 
tzinfo (0.3.38) 
activesupport (4.0.0) 
builder (3.1.4) 
erubis (2.7.0) 
rack (1.5.2) 
rack-test (0.6.2) 
actionpack (4.0.0) 
mime-types (1.25.1) 
polyglot (0.3.3) 
treetop (1.4.15) 
mail (2.5.4) 
actionmailer (4.0.0) 
activemodel (4.0.0) 
active_model_serializers (0.8.1) 
activerecord-deprecated_finders (1.0.3) 
arel (4.0.1) 
activerecord (4.0.0) 
acts_as_votable (0.8.0) 
addressable (2.3.5) 
bcrypt-ruby (3.1.2) 
coderay (1.1.0) 
better_errors (1.1.0) 
sass (3.2.13) 
bootstrap-sass (2.3.2.2) 
mini_portile (0.5.2) 
nokogiri (1.6.1) 
xpath (2.0.0) 
capybara (2.1.0) 
certified (0.1.1) 
ffi (1.9.3) 
childprocess (0.4.0) 
coffee-script-source (1.6.3) 
execjs (2.0.2) 
coffee-script (2.2.0) 
thor (0.18.1) 
railties (4.0.0) 
coffee-rails (4.0.1) 
diff-lcs (1.2.5) 
gherkin (2.12.2) 
multi_test (0.0.3) 
cucumber (1.3.10) 
bundler (1.5.1) 
hike (1.2.3) 
tilt (1.4.1) 
sprockets (2.10.1) 
sprockets-rails (2.0.1) 
rails (4.0.0) 
cucumber-rails (1.4.0) 
orm_adapter (0.5.0) 
warden (1.2.3) 
devise (3.0.4) 
launchy (2.4.2) 
email_spec (1.5.0) 
factory_girl (4.3.0) 
factory_girl_rails (4.3.0) 
faker (1.2.0) 
multipart-post (2.0.0) 
faraday (0.9.0) 
hashie (2.0.5) 
jbuilder (1.0.2) 
jquery-rails (3.0.4) 
json (1.8.1) 
jwt (0.1.11) 
multi_xml (0.5.5) 
oauth2 (0.9.3) 
omniauth (1.2.1) 
omniauth-oauth2 (1.1.2) 
omniauth-facebook (1.6.0) 
pg (0.17.1) 
rack-cors (0.2.9) 
rails_serve_static_assets (0.0.2) 
rails_stdout_logging (0.0.3) 
rails_12factor (0.0.2) 
rdoc (3.12.2) 
rspec-core (2.13.1) 
rspec-expectations (2.13.0) 
rspec-mocks (2.13.1) 
rspec-rails (2.13.1) 
rubyzip (0.9.9) 
sass-rails (4.0.1) 
sdoc (0.3.20) 
websocket (1.0.7) 
selenium-webdriver (2.35.1) 
turbolinks (1.1.1) 
uglifier (2.1.1)

的Rails 4.0.0

非常感謝先進！

來源

2014-01-23 selaromi

我們是否需要將fb配置兩次1. devise.rb和2. omniauth.rb？ –

不，如果你正在使用設計，你只需要在devise.rb設置它 – selaromi

我將此添加到我的APP_NAME /配置/初始化/ devise.rb

{ provider_ignores_state: true }

所以它結束了

require "omniauth-facebook" 
    config.omniauth :facebook, ENV["FACEBOOK_APP_ID"], ENV['FACEBOOK_SECRET'], provider_ignores_state: true

希望這可以幫助其他人！

來源

2014-01-24 00:07:47 selaromi

幫助我，謝謝！ – DanS

的解釋是：「一些的OAuth2商忽略‘狀態’參數，不要將其返回到客戶端CSRF保護用這個參數對這類服務是不可能的添加一個布爾選項：。provider_ignores_state爲禁用CSRF對個人戰略的保護。「 – selaromi

這很危險。它允許某人使用CSRF攻擊您的網站。你的Gemfile沒有列出你正在使用的omniauth-facebook的版本。你應該升級到1.6.0。這裏是一個如何使用它與客戶端登錄的例子：https://github.com/mkdynamic/omniauth-facebook/blob/master/example/config.ru –

Ruby on Rails的設計OAuth的Facebook的OmniAuth ::策略:: OAuth2用戶:: CallbackError

回答

相關問題