Devise: undefined method `user' for nil:NilClass when test sign in with rspec, warden is nil

Created on 15 Feb 2015 · 19Comments · Source: heartcombo/devise

Rails 4.2 & Mongoid 4.0.1 & devise 3.4.1
This occured when I test the sign_in method by Rspec in file sessions_controller_spec.rb, and the error is at ....gem/../devise/controller/sign_in_out.rb at line 36:

elsif warden.user(scope) == resource && !options.delete(:force)

it seems that something wrong and result in "warden" is nil
the demo repo is here: https://github.com/veetase/smarto

Source

veetase

👍1

All 19 comments

Did you include Devise test helpers in your controller specs?

josevalim on 15 Feb 2015

Ah, nevermind, I can see that you did.

josevalim on 15 Feb 2015

I am having the same issue.

emaung on 22 Feb 2015

+1 Also facing the same issue.

ziazek on 27 Mar 2015

ditto. "undefined method 'user' for nil:NilClass" when trying to sign_in user after user && user.valid_password?(...) == true.

maxscott on 28 Mar 2015

I am facing the same issue too. Any updates on this?

akshaysmurthy on 6 Apr 2015

I figured the problem. It looks like there are some areas in Devise which require a new_user_session named route to exist.

In my case, I figured out that here - https://github.com/plataformatec/devise/blob/master/lib/devise/failure_app.rb#L125

After adding that route in my app, the undefined method `user' for nil:NilClass issue also got resolved.

akshaysmurthy on 7 Apr 2015

For me, the issue was not including the test helpers in the controller specs.

ziazek on 8 Apr 2015

I have devise_for :users and rake routes shows new_user_session. I am still getting undefined method user' for nil:NilClass from lib/devise/controllers/sign_in_out.rb:39:insign_in'. I have config.include Devise::TestHelpers, :type => :controller
in the spec_helper.rb. Any ideas on how to fix this issue?

bparanj on 26 Apr 2015

@bparanj move

config.include Devise::TestHelpers, :type => :controller to rails_helper.rb

https://github.com/plataformatec/devise/wiki/How-To:-Test-controllers-with-Rails-3-and-4-%28and-RSpec%29#controller-specs

kfalconer on 7 May 2015

I have decided to ditch devise and roll my own. It's too obese for my projects.

bparanj on 8 May 2015

@kfalconer's suggestion fixed it for me.

beauby on 4 Jun 2015

I still have this issue after adding config.include Devise::TestHelpers, :type => :controller to rails_helper.rb

antarr on 14 Jul 2015

Ditch the bloated devise. Build your own authentication from scratch. Read : https://www.rubyplus.com/articles/1951
https://www.rubyplus.com/articles/1961
https://www.rubyplus.com/articles/2191
https://www.rubyplus.com/articles/2241

bparanj on 15 Jul 2015

👎9 🚀1

@bparanj I usually don't mind rolling your own things, it is great for better understanding how things work, but I would be very skeptical about rolling your own authentication due to all security reasons. For example, exploring the links you have sent above, I have found the following flaws in the proposed implementation:

Sign in is vulnerable to session fixation attack
Sign in is vulnerable to CSRF token fixation attack
Application may be vulnerable to CSRF attacks since it does not properly handle_unverified_request
Tokens are stored in clear text in the database
Token lookup for password protection is unsafe if using MySQL due to parameter casting
Password tokens are not reset when e-mail or password changes
Password tokens are vulnerable to timing attacks (since a DB comparison is not secure)

And this is through a quick glance through the code (you have posted it 20 minutes ago). More bugs are likely hidden there.

josevalim on 15 Jul 2015

I am aware of some of these issues. It is also on my to do list. Thanks for pointing them out. I will work on fixing them.

bparanj on 15 Jul 2015

🚀1

I'm still running into this issue even with the helpers. Can we reopen this?