Rails 5 (production) and Devise - Unable to log in on Chrome or Safari , but can log in on Firefox

Question

Problem:

I am only able to sign up, and login to my rails application (production) using the firefox browser. When attempting to use Safari or Chrome, the log in using an existing account does not work.

In fact, it does not even seem to be performing form validation when submitting the form. When submitted in firefox, the form correctly determines that a Username/password is incorrect and notifies the user (via a few flash messages). On chrome, the form does nothing.

Background

I am currently hosting a Rails 5 application on Elastic Beanstalk. My persistance is a separate RDS (PostGRESQL) I configured my authentication to use the devise gem and was able to get sign up, and login to work fine in development.

Here is my devise config (config/initializers/devise.rb):

    Devise.setup do |config|
        config.secret_key = ENV['DEVISE_SECRET_KEY']
        config.mailer_sender = ENV['EMAIL_TO_USER']
        require 'devise/orm/active_record'
        config.case_insensitive_keys = [:email]
        config.strip_whitespace_keys = [:email]
        config.http_authenticatable = false
        config.skip_session_storage = [:http_auth]
        config.stretches = Rails.env.test? ? 1 : 11
        config.reconfirmable = false
        config.expire_all_remember_me_on_sign_out = true
        config.sign_out_via = :delete
      end

I left out the stripe/facebook configurations.

When I pushed this to production, I configured EBS for https which meant modifying my nginx config as follows:

files: /etc/nginx/conf.d/proxy.conf: content: | client_max_body_size 500M; server_names_hash_bucket_size 128;

  upstream backend {
    server unix:///var/run/puma/my_app.sock;
  }

  server {
    listen 80;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    server_name www.mydomain.com; 

    if ($http_x_forwarded_proto = 'http') {
     return 301 https://$server_name$request_uri;
    }

    large_client_header_buffers 8 32k;

    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-NginX-Proxy true;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header  X-Forwarded-Host $host;

      proxy_buffers 8 32k;
      proxy_buffer_size 64k;

      proxy_pass http://backend;
      proxy_redirect off;

      location /assets {
        root /var/app/current/public;
      }

      # enables WS support
      location /cable {
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade "websocket";
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      }
    }
  }

Logs

This is where things got a little difficult to diagnose. The logs contained no fatal errors. Below are the relevant parts of the logs while I attempted to login on Chrome:

I, [2018-05-01T00:13:57.126576 #4167] INFO -- : [5ab87fb9-5dfd-410a-b9b5-9da405784583] Processing by Devise::SessionsController#create as HTML

I, [2018-05-01T00:13:57.126633 #4167] INFO -- : [5ab87fb9-5dfd-410a-b9b5-9da405784583] Parameters: {"utf8"=>"✓", "authenticity_token"=>"DbVEjrNRtSIyaZEkdZ7gYlw/xlDG4Gt3fT2qihR2iuZzWjWLF7N2QFHjocvlHcok5sa5LcwzlDP1QTIRqgAN6g==", "user"=>{"email"=>"d***@example.com", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Log in"}

W, [2018-05-01T00:13:57.127260 #4167] WARN -- : [5ab87fb9-5dfd-410a-b9b5-9da405784583] HTTP Origin header (https://www.gametime.hopewellhockey.com) didn't match request.base_url (http://www.gametime.hopewellhockey.com)

D, [2018-05-01T00:13:57.132493 #4167] DEBUG -- : [5ab87fb9-5dfd-410a-b9b5-9da405784583] [1m[36mUser Load (1.9ms)[0m [1m[34mSELECT "users".* FROM "users" WHERE "users"."email" = $1 ORDER BY "users"."id" ASC LIMIT $2[0m [["email", "d***@example.com"], ["LIMIT", 1]]

D, [2018-05-01T00:13:57.290705 #4167] DEBUG -- : [5ab87fb9-5dfd-410a-b9b5-9da405784583] [1m[35m (1.2ms)[0m [1m[35mBEGIN[0m

D, [2018-05-01T00:13:57.294562 #4167] DEBUG -- : [5ab87fb9-5dfd-410a-b9b5-9da405784583] [1m[35mSQL (1.4ms)[0m [1m[33mUPDATE "users" SET "current_sign_in_at" = $1, "last_sign_in_at" = $2, "sign_in_count" = $3, "updated_at" = $4 WHERE "users"."id" = $5[0m [["current_sign_in_at", "2018-05-01 00:13:57.288765"], ["last_sign_in_at", "2018-04-30 23:42:09.037190"], ["sign_in_count", 18], ["updated_at", "2018-05-01 00:13:57.291147"], ["id", 17]]

D, [2018-05-01T00:13:57.297196 #4167] DEBUG -- : [5ab87fb9-5dfd-410a-b9b5-9da405784583] [1m[35m (2.0ms)[0m [1m[35mCOMMIT[0m

I, [2018-05-01T00:13:57.301422 #4167] INFO -- : [5ab87fb9-5dfd-410a-b9b5-9da405784583] Redirected to http://www.gametime.hopewellhockey.com/dashboard

I, [2018-05-01T00:13:57.301571 #4167] INFO -- : [5ab87fb9-5dfd-410a-b9b5-9da405784583] Completed 302 Found in 175ms (ActiveRecord: 6.6ms)

I, [2018-05-01T00:13:57.341167 #4167] INFO -- : [99d956dd-e326-4e7b-b261-956020699bd7] Started GET "/dashboard" for 127.0.0.1 at 2018-05-01 00:13:57 +0000

I, [2018-05-01T00:13:57.343267 #4167] INFO -- : [99d956dd-e326-4e7b-b261-956020699bd7] Processing by DashboardsController#index as HTML

I, [2018-05-01T00:13:57.344029 #4167] INFO -- : [99d956dd-e326-4e7b-b261-956020699bd7] Completed 401 Unauthorized in 1ms (ActiveRecord: 0.0ms)

I, [2018-05-01T00:13:57.382580 #4167] INFO -- : [56191256-df92-4638-bd41-0df7b6e07722] Started GET "/login" for 127.0.0.1 at 2018-05-01 00:13:57 +0000

I, [2018-05-01T00:13:57.383326 #4167] INFO -- : [56191256-df92-4638-bd41-0df7b6e07722] Processing by Devise::SessionsController#new as HTML

I, [2018-05-01T00:13:57.384641 #4167] INFO -- : [56191256-df92-4638-bd41-0df7b6e07722] Rendering devise/sessions/new.html.erb within layouts/application

I, [2018-05-01T00:13:57.387677 #4167] INFO -- : [56191256-df92-4638-bd41-0df7b6e07722] Rendered devise/sessions/new.html.erb within layouts/application (3.0ms)

I, [2018-05-01T00:13:57.388956 #4167] INFO -- : [56191256-df92-4638-bd41-0df7b6e07722] Rendered shared/_navbar.html.erb (0.8ms)

I, [2018-05-01T00:13:57.389150 #4167] INFO -- : [56191256-df92-4638-bd41-0df7b6e07722] Rendered shared/_message.html.erb (0.1ms)

I, [2018-05-01T00:13:57.389622 #4167] INFO -- : [56191256-df92-4638-bd41-0df7b6e07722] Rendered shared/_footer.html.erb (0.3ms)

I, [2018-05-01T00:13:57.389794 #4167] INFO -- : [56191256-df92-4638-bd41-0df7b6e07722] Completed 200 OK in 6ms (Views: 5.4ms | ActiveRecord: 0.0ms)

E, [2018-05-01T00:13:57.436191 #4167] ERROR -- : WebSocket error occurred: Broken pipe

A few things to note- (1) the websocket seems to be having issues. However, this would have effected my firefox sign in as well. Next, there is the warning "HTTP Origin header (https://www.gametime.hopewellhockey.com) didn't match request.base_url (http://www.gametime.hopewellhockey.com)" This suggests that my nginx server config is missing headers. I found some documentation online and attempted to emulate it ( shown above), to no avail.

Thanks in advance. This one has been stumping me for a while now!

Edit: Similar issue found here : Devise doesn't login in Google Chrome This solution suggests modifying a line in the actionpack gem library which seems like a bad practice to me.

Edit 2 - Someone pointed out that Chrome takes exception to redirection. The function within the rails application redirects to the user dashboard after logging in. It seems like a standard enough thing to me.

class ApplicationController < ActionController::Base
  protect_from_forgery prepend: true

  before_action :configure_permitted_parameters, if: :devise_controller?

   protected



  def after_sign_in_path_for(resource_or_scope)
    dashboard_path
  end

 def configure_permitted_parameters
   devise_parameter_sanitizer.permit(:sign_up, keys: [:fullname])
   devise_parameter_sanitizer.permit(:account_update, keys: [:fullname, :phone_number, :description, :player_age, :position])
 end
end

Answer 1

From my experience Chrome refuses to follow a redirect from HTTPS to HTTP, and it looks like that's whats happening with your current config.

I would try to see if you can determine why you are redirecting to the dashboard with the HTTP protocol. It might still have to with why you're getting the warning about the request origin not matching the request base url.