Login modal using default rails ajax request not working with subdomains

rubyonrails-talk
1

I am having a devise user model.

To login I am using twitter-bootstrap modal.The modal is by default hidden and shown only after an rails default ajax request is send to the server.

It works fine with localhost and production. But when a user is on a subdomain(using acts_as_tenant) like business.lvh.me:3000 the modal window does not pop up and the ajax request fails.

I am sharing the session across all the domains.

My SessionStore initializer.

Rails.application.config.session_store :active_record_store, :key => '_my_app_session',domain: 'lvh.me'

PFB the error.log for the same.

  Rendered remote_content/_remote_sign_up.html.erb (78.8ms)   Rendered remote_content/remote_sign_up.js.erb (86.2ms) Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding. Completed 422 Unprocessable Entity in 100ms (Views: 96.1ms | ActiveRecord: 1.6ms)

ActionController::InvalidCrossOriginRequest - Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.:   actionpack (4.2.4) lib/action_controller/metal/request_forgery_protection.rb:225:in `verify_same_origin_request'   activesupport (4.2.4) lib/active_support/callbacks.rb:432:in `block in make_lambda'   activesupport (4.2.4) lib/active_support/callbacks.rb:239:in `block in halting'   activesupport (4.2.4) lib/active_support/callbacks.rb:506:in `block in call'   activesupport (4.2.4) lib/active_support/callbacks.rb:506:in `call'   activesupport (4.2.4) lib/active_support/callbacks.rb:92:in `__run_callbacks__'   activesupport (4.2.4) lib/active_support/callbacks.rb:778:in `_run_process_action_callbacks'   activesupport (4.2.4) lib/active_support/callbacks.rb:81:in `run_callbacks'   actionpack (4.2.4) lib/abstract_controller/callbacks.rb:19:in `process_action'   actionpack (4.2.4) lib/action_controller/metal/rescue.rb:29:in `process_action'   actionpack (4.2.4) lib/action_controller/metal/instrumentation.rb:32:in `block in process_action'   activesupport (4.2.4) lib/active_support/notifications.rb:164:in `block in instrument'   activesupport (4.2.4) lib/active_support/notifications/instrumenter.rb:20:in `instrument'   activesupport (4.2.4) lib/active_support/notifications.rb:164:in `instrument'   actionpack (4.2.4) lib/action_controller/metal/instrumentation.rb:30:in `process_action'   actionpack (4.2.4) lib/action_controller/metal/params_wrapper.rb:250:in `process_action'   activerecord (4.2.4) lib/active_record/railties/controller_runtime.rb:18:in `process_action'   actionpack (4.2.4) lib/abstract_controller/base.rb:137:in `process'   actionview (4.2.4) lib/action_view/rendering.rb:30:in `process'   actionpack (4.2.4) lib/action_controller/metal.rb:196:in `dispatch'   actionpack (4.2.4) lib/action_controller/metal/rack_delegation.rb:13:in `dispatch'   actionpack (4.2.4) lib/action_controller/metal.rb:237:in `block in action'   actionpack (4.2.4) lib/action_dispatch/routing/route_set.rb:76:in `dispatch'   actionpack (4.2.4) lib/action_dispatch/routing/route_set.rb:45:in `serve'   actionpack (4.2.4) lib/action_dispatch/journey/router.rb:43:in `block in serve'   actionpack (4.2.4) lib/action_dispatch/journey/router.rb:30:in `serve'   actionpack (4.2.4) lib/action_dispatch/routing/route_set.rb:821:in `call'   warden (1.2.3) lib/warden/manager.rb:35:in `block in call'   warden (1.2.3) lib/warden/manager.rb:34:in `call'   rack (1.6.4) lib/rack/etag.rb:24:in `call'   rack (1.6.4) lib/rack/conditionalget.rb:25:in `call'   rack (1.6.4) lib/rack/head.rb:13:in `call'   actionpack (4.2.4) lib/action_dispatch/middleware/params_parser.rb:27:in `call'   actionpack (4.2.4) lib/action_dispatch/middleware/flash.rb:260:in `call'   rack (1.6.4) lib/rack/session/abstract/id.rb:225:in `context'   rack (1.6.4) lib/rack/session/abstract/id.rb:220:in `call'   actionpack (4.2.4) lib/action_dispatch/middleware/cookies.rb:560:in `call'   activerecord (4.2.4) lib/active_record/query_cache.rb:36:in `call'   activerecord (4.2.4) lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in `call'   activerecord (4.2.4) lib/active_record/migration.rb:377:in `call'   actionpack (4.2.4) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'   activesupport (4.2.4) lib/active_support/callbacks.rb:88:in `__run_callbacks__'   activesupport (4.2.4) lib/active_support/callbacks.rb:778:in `_run_call_callbacks'   activesupport (4.2.4) lib/active_support/callbacks.rb:81:in `run_callbacks'   actionpack (4.2.4) lib/action_dispatch/middleware/callbacks.rb:27:in `call'   actionpack (4.2.4) lib/action_dispatch/middleware/reloader.rb:73:in `call'   actionpack (4.2.4) lib/action_dispatch/middleware/remote_ip.rb:78:in `call'   better_errors (2.1.1) lib/better_errors/middleware.rb:84:in `protected_app_call'   better_errors (2.1.1) lib/better_errors/middleware.rb:79:in `better_errors_call'   better_errors (2.1.1) lib/better_errors/middleware.rb:57:in `call'   actionpack (4.2.4) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'   web-console (2.2.1) lib/web_console/middleware.rb:39:in `call'   actionpack (4.2.4) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'   railties (4.2.4) lib/rails/rack/logger.rb:38:in `call_app'   railties (4.2.4) lib/rails/rack/logger.rb:20:in `block in call'   activesupport (4.2.4) lib/active_support/tagged_logging.rb:68:in `block in tagged'   activesupport (4.2.4) lib/active_support/tagged_logging.rb:26:in `tagged'   activesupport (4.2.4) lib/active_support/tagged_logging.rb:68:in `tagged'   railties (4.2.4) lib/rails/rack/logger.rb:20:in `call'   request_store (1.2.0) lib/request_store/middleware.rb:8:in `call'   actionpack (4.2.4) lib/action_dispatch/middleware/request_id.rb:21:in `call'   rack (1.6.4) lib/rack/methodoverride.rb:22:in `call'   rack (1.6.4) lib/rack/runtime.rb:18:in `call'   activesupport (4.2.4) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'   rack (1.6.4) lib/rack/lock.rb:17:in `call'   actionpack (4.2.4) lib/action_dispatch/middleware/static.rb:116:in `call'   rack (1.6.4) lib/rack/sendfile.rb:113:in `call'   railties (4.2.4) lib/rails/engine.rb:518:in `call'   railties (4.2.4) lib/rails/application.rb:165:in `call'   rack (1.6.4) lib/rack/content_length.rb:15:in `call'   puma (2.9.2) lib/puma/server.rb:490:in `handle_request'   puma (2.9.2) lib/puma/server.rb:361:in `process_client'   puma (2.9.2) lib/puma/server.rb:254:in `block in run'   puma (2.9.2) lib/puma/thread_pool.rb:92:in `block in spawn_thread'

2

Sorry to tell you, but this behavior is by design. You'll have to put it on the same subdomain as the accessed page or use a workaround like an API. This is actually a limitation of AJAX.

3

This is a restriction of the browser security model - it’s deliberately designed to restrict where AJAX requests etc can originate from to block several classes of attack.

You should look into rack-cors: GitHub - cyu/rack-cors: Rack Middleware for handling Cross-Origin Resource Sharing (CORS), which makes cross-origin AJAX possible.

to help send the appropriate preflight headers to allow this to work.

–Matt Jones

4

your problem it’s related with CORS.

A little recipe to solve this:

  1. install rack-cors gem. On your Gemfile:

Gemfile

gem ‘rack-cors’, :require => ‘rack/cors’

``

  1. on shell: bundle install

``

  1. on your application.rb:

application.rb

config.middleware.insert_before 0, “Rack::Cors” do allow do origins ‘*’ # on production, use the line below instead

origins ‘localhost:3001’, ‘myfabulousapp.com

resource '*', :headers => :any, :methods => [:get, :post, :delete, :put, :head]

end end

``

maybe it will be required to send your credentials on your request (on the JS side) too.

I don’t know if you are using angular or jquery to communicate with your API, but I made this tutorial about how to integrate angular with devise, which can be useful for you (even that you aren’t using angular, some tips are on the server side): http://www.learnwithdaniel.com/2015/10/rails-angular-authentication/