Reputation: 2876
Sign Out not working on Heroku - using Devise gem and Rails 4
I just did an initial deploy to Heroku of a Rails 4 app that uses Devise for authentication. Signing out works locally, but Heroku returns an error that "The page you were looking for does not exist," and it doesn't log the user out.
Based on the Heroku logs and a Google/SO search, it looks like the reason is that Heroku is using a GET request instead of DELETE - though my app code specifies the :delete method for the link, and Devise uses DELETE for signing out by default. Some articles suggested that Heroku uses GET so that users can sign out without having JavaScript enabled, but I have the JS include tag in my code and JS is enabled in my browser. (I've checked using both Chrome and Safari.)
I've found instructions for changing the configuration so that Devise uses :get instead of :delete, but I would prefer to use the more secure :delete method if at all possible.
Thanks for the ideas so far. In response to your questions:
Here is my link:
<%= link_to "Log out", destroy_admin_session_path, method: :delete %>
This is what I have in the head tag to load the javascript:
<%= javascript_include_tag "application", "data-turbolinks-track" => true %>
There are no JS errors reported in the console.
Upvotes: 3
Views: 2297
Answers (2)
Reputation: 2876
I found the solution. The problem is that Rails 4 handles assets differently than Rails 3. By default, Rails 4 doesn't serve static assets. You can manually change this in config/application.rb by setting:
config.serve_static_assets = true
Another option (and the one that Heroku recommends) is to use the rails_12factor gem. Adding this to your Gemfile and running bundle install will make the adjustment for you and also set your logger to standard out. It can be used with Rails 3 and Rails 4 both.
gem 'rails_12factor', group: :production
I opted to use the gem. After I ran bundle install, committed the changes, and redeployed - my sign out link worked fine with no need to change the method. My scss files were also compiled and implemented accurately after this. (I hadn't done anything with the styles before, so I didn't realize this was an issue. Funny how encountering a new problem can help lead to a solution...)
Here are the resources that helped me:
https://devcenter.heroku.com/articles/rails-4-asset-pipeline
https://github.com/heroku/rails_12factor
Upvotes: 3
Reputation: 76774
You can't get more secure than the delete method currently
Rails actually has to set delete with JS, as it's not supported by most browsers. The way you set it is as thus:
<%= link_to "Logout", user_session_destroy_path, method: :delete %>
Although I get your point about making it more secure, I think your focus should be on how the authentication is processed on the backend. Sending requests is only a front-end concern; handling them is the realm of Rails
Upvotes: 0
Related Questions
- Sign Out working locally, but not working on Heroku
- Rails 5 app in production on heroku is calling sign out using method GET
- Cant get devise sign_out to work properly
- Heroku Rails App not allowing to Login/Logout via Devise
- Ruby on Rails: Unable to sign out of application in production
- Devise Sign Out/Log Out not working with Rails 4
- Michael Hartl rails tutorial chapter 8 sign out not working in heroku
- unable to use sign_out in ruby on rails devise gem
- Devise sign_out can't find correct route
- Signing out with Devise not working