how should I go about making all Devise paths use https?

Question

Related: Rails 3 SSL routing redirects from https to http (unfortunately didn't work).

Duplicate, but the answer didn't work for me: setting up ssl on devise

I have a web app that's been working fine for a while now but I need to add SSL to the login/edit acct paths. I'm using Devise for authentication. I found an entry in the devise wiki that made the process seem pretty simple, but damn if I can get it to work. The simple part was this:

#in config/environments/production.rb
config.to_prepare { Devise::SessionsController.force_ssl }
config.to_prepare { Devise::RegistrationsController.force_ssl }

And then there's about 25 lines of code in this gist: https://gist.github.com/1040964

I got that to work well enough, but when ever I sign out I get a 301 from the sessions DELETE action that sends me to a GET.

Started DELETE "/users/sign_out" for 98.246.164.160 at 2012-03-02 01:45:42 +0000
[02 Mar 01:45 10886   INFO]   Processing by Devise::SessionsController#destroy as HTML
[02 Mar 01:45 10886   INFO]   Parameters: {"authenticity_token"=>"fI4VZ4V0Go2Civo3sJz8Dv5/Wtaa90ynaYr+xxx="}
[02 Mar 01:45 10886  DEBUG] Parameters: {"_method"=>"delete", "authenticity_token"=>"fI4VZ4V0Go2Civo3sJz8Dv5/Wtaa90ynaYr+xxxx=", "action"=>"destroy", "controller"=>"devise/sessions"}
[02 Mar 01:45 10886   INFO] Redirected to https://ec2-xx-xx-106-255.us-west-2.compute.amazonaws.com/users/sign_out
[02 Mar 01:45 10886   INFO] Completed 301 Moved Permanently in 3ms

Started GET "/users/sign_out" for xx.xx.164.160 at 2012-03-02 01:45:42 +0000
[02 Mar 01:45 10886  FATAL] 
ActionController::RoutingError (No route matches [GET] "/users/sign_out"):

So I think I need to start over from scratch. What's the simplest way to make any Devise path use https, but the rest of the paths in my app use http? I tried this (from the SO post at the top):

 #devise routes
  scope :protocol => 'https://', :constraints => { :protocol => 'https://' } do
    devise_for :users, :controllers => { :registrations => :registrations }
    devise_for :admins
  end

But no go. I need a better suggestion.

Answer 1

No answers yet, so here's what I concluded:

1. Once you access a site via https, don't access it via http until the user signs out (firesheep attack). There's a lot of stuff on Devise in the article linked above that discusses only having https on the sign in / out page. Bad idea.

2. All you really need is this:

   #in config/environments/production.rb
   config.to_prepare { Devise::SessionsController.force_ssl }
   config.to_prepare { Devise::RegistrationsController.force_ssl }
   

3. I had a ton of issues surrounding 'after_sign_in_path' from Devise. It turns out that after_sign_out_path_for is expecting a path to be returned -- it's not an event, it is asking where the user should be directed. So I returned root_path :protocol => 'http://' and that took care of it.

Answer 2

Try making your whole app use HTTPS by adding:

#in config/environments/production.rb
config.force_ssl = true

I had quite the same problem. Sometimes I sign out fine sometimes I got 301 from DELETE action and redirect to GET. For me this was the problem.

Answer 3

Make sure you use https in all your Devise links (this avoids the force_ssl redirect).

In your routes.rb (only applied in production environment):

scope defaults: (Rails.env.production? ? { protocol: 'https' } : {}) do
  devise_for :users
end

Now in your application use:

destroy_user_session_url # use _url instead of _path so the protocol is added!

Now your logout / sign out link (and other devise links) will point directly to https. The force_ssl rewrite from HTTP DELETE to HTTPS GET is avoided. It all works :)