Posted
30 July 2009 @ 12pm
Tagged
authentication, authlogic, authlogic_oauth, oauth, rails, rubyonrails, twitter
authlogic_oauth gotcha
I don’t want to imply by the title this is anyone’s fault but my own. But since it took me two days to figure out, I thought I’d share.
I’m using the excellent authentication package, authlogic, for my current project. I want to allow normal registrations through my site and also registrations using Twitter credentials. In an incremental way, I first implemented normal registrations. I followed the authlogic documentation and liberally copied & pasted from the authlogic_example source tree. One quick note here, authlogic is very well documented!
With no problems, registrations on my site worked. Then I moved on to oauth/Twitter registrations. Once again I read the documentation and followed the example code. Once again, it was excellently documented. This time, though, I fell into a two-day hole of frustration.
This was the error, cause of consternation, and some of the backtrace:
Processing UsersController#create (for 74.98.231.174 at 2009-07-29 15:05:11) [POST]
Parameters: {"action"=>"create", "controller"=>"users", "oauth_token"=>"NX6WgsvgPiyIJWnHdibE4l23vYnrJo4XztZdzn24mM", "oauth_verifier"=>"S0EUR49GOYRtZ9IFCpXMBHCh4n3eedcnka8sdd7vdM"}
User Columns (2.3ms) SHOW FIELDS FROM `users`
User Load (0.4ms) SELECT * FROM `users` WHERE (`users`.`persistence_token` = '...') LIMIT 1
User Load (0.5ms) SELECT * FROM `users` WHERE (`users`.`oauth_token` = '14934375-oOOgpW5hXiONW6NM4yD9PHlkhAJyHmbVyeLwUz5R4') LIMIT 1
SQL (0.2ms) BEGIN
SQL (0.2ms) ROLLBACK
OAuth::Unauthorized (401 Unauthorized):
oauth (0.3.5) [v] lib/oauth/consumer.rb:197:in `token_request'
oauth (0.3.5) [v] lib/oauth/tokens/request_token.rb:18:in `get_access_token'
vendor/gems/authlogic-oauth-1.0.7/lib/authlogic_oauth/oauth_process.rb:42:in `generate_access_token'
vendor/gems/authlogic-oauth-1.0.7/lib/authlogic_oauth/acts_as_authentic.rb:93:in `authenticate_with_oauth'
vendor/gems/authlogic-oauth-1.0.7/lib/authlogic_oauth/oauth_process.rb:12:in `validate_by_oauth'
vendor/gems/authlogic-oauth-1.0.7/lib/authlogic_oauth/acts_as_authentic.rb:67:in `save'
app/controllers/users_controller.rb:20:in `create'
vendor/gems/authlogic-oauth-1.0.7/lib/oauth_callback_filter.rb:10:in `call'
Unauthorized was quite frustrating as my error because Twitter, to the eye, was certainly authorizing my request. Also, when the process was tested on the command line via oauth directly, I had no issues.
It turns out the problem was in a before_filter which verified that there was no user in the session when creating a new user (as was suggested by the authlogic_example code for a totally sensible reason). What I believe was happening as a result of this was that the callback return from Twitter including an oauth_token and oauth_verifier was then being redirected again because of the user in the session whereby another call was attempted of Twitter using the oauth_token that was a param. Anyways, its not terribly important except to say that it completely broke with an error that didn’t help me decipher the problem.
When I changed the actions for which my before_filter applied, the problem was solved.
class UsersController < ApplicationController # authlogic_example: THIS ONE BREAKS OAUTH # before_filter :require_no_user, :only => [:new, :create] # authlogic_example (oauth branch): THIS ONE WORKS before_filter :require_no_user, :only => [:new]
Hopefully my two day of flailing helps someone else out in the same position. I hate when this happens.
Thanks again to the authors of authlogic and authlogic_oauth for writing some great code and documentation. I really want to stress that this was my fault, not theirs. Hopefully this lesson will make it into the documentaiton.
