我正在使用React前端/Rails 7后端创建一个完整的堆栈项目,但我无法使用heroku部署的后端登录。在开发环境中一切正常。在生产环境中,我可以创建一个用户,在数据库中看到他们,我可以登录并成功重定向,但我不会保持登录状态。
def login!
session[:user_id] = @user.id
end
在此之后,用户应该被重定向到主页。
当重定向发生时,主页调用API来查看用户是否被授权使用:
def logged_in?
!!session[:user_id]
end
但是会话是空的。
下面是我的sessions controller:
class SessionsController < ApplicationController
def create
@user = User.find_by(username: session_params[:username])
if @user && @user.authenticate(session_params[:password])
login!
render json: {
logged_in: true,
user: @user
}
else
render json: {
status: 401,
errors: ['Incorrect username or password, please try again.']
}
end
end
def is_logged_in?
if logged_in? && current_user
render json: {
logged_in: true,
user: current_user
}
else
render json: {
logged_in: false,
message: 'no such user'
}
end
end
def destroy
logout!
render json: {
status: 200,
logged_out: true
}
end
private
def session_params
params.require(:user).permit(:username, :password)
end
end
这是我的申请表rb
require_relative "boot"
require "rails/all"
# Require the gems listed in Gemfile, including any gems
# you've limited to :test, :development, or :production.
Bundler.require(*Rails.groups)
module Wms
class Application < Rails::Application
# Initialize configuration defaults for originally generated Rails version.
config.load_defaults 7.0
# Configuration for the application, engines, and railties goes here.
#
# These settings can be overridden in specific environments using the files
# in config/environments, which are processed later.
#
# config.time_zone = "Central Time (US & Canada)"
# config.eager_load_paths << Rails.root.join("extras")
# Only loads a smaller set of middleware suitable for API only apps.
# Middleware like session, flash, cookies can be added back manually.
# Skip views, helpers and assets when generating a new resource.
config.middleware.insert_before 0, Rack::Cors do
allow do
origins '*'
resource '*', headers: :any, methods: [:get, :post, :options]
end
end
config.api_only = true
# Adding back cookies and session middleware
config.middleware.use ActionDispatch::Cookies
config.middleware.use ActionDispatch::Session::CookieStore
# Use SameSite=Strict for all cookies to help protect against CSRF
config.action_dispatch.cookies_same_site_protection = :strict
end
end
我花了几个星期的时间试图弄清楚这一点,我迫切需要帮助。有人能看一下吗?
我的后端部署在:https://floating-journey-28678.herokuapp.com。
1条答案
按热度按时间zvms9eto1#
这可能与Heroku -> https://devcenter.heroku.com/articles/cookies-and-herokuapp-com上的主题有关
您也可以在
production.rb
config.action_dispatch.cookies_same_site_protection = :none
中尝试此选项。但我认为最好用JWT或一些访问令牌来管理会话,而不是将其放入cookie中