samgooi4189/InvestigateDeviseParameterSanitizerr

## InvestigateDeviseParameterSanitizerr
Problem:
(byebug) devise_parameter_sanitizer.sanitize(:sign_up)
{}


Investigation:
1. We post the data to the backend in this format
```
$ curl -X POST -H "Content-Type: application/json" --data "{\"user\": {\"email\":\"abc@abc.com\", \"password\": \"1234567890\", \"password_confirmation\": \"1234567890\"}}" localhost:3000/api/v1/users
```

2. From the rails log, we can see that the parameters are going in as expected
```
Processing by Api::V1::RegistrationsController#create as JSON
  Parameters: {"user"=>{"email"=>"abc@abc.com", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}}
```

3. Place byebug before the sanitizer starts
```
def sign_up_params
    byebug
    params = devise_parameter_sanitizer.sanitize(:sign_up)
    params
  end
```

4. Inspect the devise_parameter_sanitizer, by stepping in
```
(byebug) step

[152, 161] in ...gems/devise-83213569dd77/lib/devise/controllers/helpers.rb
   152:
   153:       # Set up a param sanitizer to filter parameters using strong_parameters. See
   154:       # lib/devise/parameter_sanitizer.rb for more info. Override this
   155:       # method in your application controller to use your own parameter sanitizer.
   156:       def devise_parameter_sanitizer
=> 157:         @devise_parameter_sanitizer ||= Devise::ParameterSanitizer.new(resource_class, resource_name, params)
   158:       end
   159:
   160:       # Tell warden that params authentication is allowed for that specific page.
   161:       def allow_params_authentication!
```

5. Step though until you see:
```
[69, 78] in ...gems/devise-83213569dd77/lib/devise/parameter_sanitizer.rb
   69:       permissions = @permitted[action]
   70:
   71:       if permissions.respond_to?(:call)
   72:         cast_to_hash permissions.call(default_params)
   73:       elsif permissions.present?
=> 74:         cast_to_hash permit_keys(default_params, permissions)
   75:       else
   76:         unknown_action!(action)
   77:       end
   78:     end
```

6. Inspect
```
(byebug) permit_keys(default_params, permissions)
<ActionController::Parameters {} permitted: true>
```

7. Step in and see why it is returning { }
```
[131, 140] in .../gems/devise-83213569dd77/lib/devise/parameter_sanitizer.rb
   131:       # TODO: Remove the `with_indifferent_access` method call when we only support Rails 5+.
   132:       params && params.to_h.with_indifferent_access
   133:     end
   134:
   135:     def default_params
=> 136:       @params.fetch(@resource_name, {})
   137:     end
   138:
   139:     def permit_keys(parameters, keys)
   140:       parameters.permit(*keys)
(byebug) n

[135, 144] in ...gems/devise-83213569dd77/lib/devise/parameter_sanitizer.rb
   135:     def default_params
   136:       @params.fetch(@resource_name, {})
   137:     end
   138:
   139:     def permit_keys(parameters, keys)
=> 140:       parameters.permit(*keys)
   141:     end
   142:
   143:     def extract_auth_keys(klass)
   144:       auth_keys = klass.authentication_keys
(byebug) keys
[:email, :password, :password_confirmation]
(byebug) parameters
<ActionController::Parameters {} permitted: false>
(byebug) default_params
<ActionController::Parameters {} permitted: false>
(byebug) @resource_name
:api_v1_user
```

8. So the conclusion is that the @resource_name of the input is based on your controller class namespace, not just your devise resource name.
Therefore, please make sure your resource name is correct when you pass parameters into Devise controller.
	Problem:
	(byebug) devise_parameter_sanitizer.sanitize(:sign_up)
	{}


	Investigation:
	1. We post the data to the backend in this format
	```
	$ curl -X POST -H "Content-Type: application/json" --data "{\"user\": {\"email\":\"abc@abc.com\", \"password\": \"1234567890\", \"password_confirmation\": \"1234567890\"}}" localhost:3000/api/v1/users
	```

	2. From the rails log, we can see that the parameters are going in as expected
	```
	Processing by Api::V1::RegistrationsController#create as JSON
	Parameters: {"user"=>{"email"=>"abc@abc.com", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}}
	```

	3. Place byebug before the sanitizer starts
	```
	def sign_up_params
	byebug
	params = devise_parameter_sanitizer.sanitize(:sign_up)
	params
	end
	```

	4. Inspect the devise_parameter_sanitizer, by stepping in
	```
	(byebug) step

	[152, 161] in ...gems/devise-83213569dd77/lib/devise/controllers/helpers.rb
	152:
	153: # Set up a param sanitizer to filter parameters using strong_parameters. See
	154: # lib/devise/parameter_sanitizer.rb for more info. Override this
	155: # method in your application controller to use your own parameter sanitizer.
	156: def devise_parameter_sanitizer
	=> 157: @devise_parameter_sanitizer \|\|= Devise::ParameterSanitizer.new(resource_class, resource_name, params)
	158: end
	159:
	160: # Tell warden that params authentication is allowed for that specific page.
	161: def allow_params_authentication!
	```

	5. Step though until you see:
	```
	[69, 78] in ...gems/devise-83213569dd77/lib/devise/parameter_sanitizer.rb
	69: permissions = @permitted[action]
	70:
	71: if permissions.respond_to?(:call)
	72: cast_to_hash permissions.call(default_params)
	73: elsif permissions.present?
	=> 74: cast_to_hash permit_keys(default_params, permissions)
	75: else
	76: unknown_action!(action)
	77: end
	78: end
	```

	6. Inspect
	```
	(byebug) permit_keys(default_params, permissions)
	<ActionController::Parameters {} permitted: true>
	```

	7. Step in and see why it is returning { }
	```
	[131, 140] in .../gems/devise-83213569dd77/lib/devise/parameter_sanitizer.rb
	131: # TODO: Remove the `with_indifferent_access` method call when we only support Rails 5+.
	132: params && params.to_h.with_indifferent_access
	133: end
	134:
	135: def default_params
	=> 136: @params.fetch(@resource_name, {})
	137: end
	138:
	139: def permit_keys(parameters, keys)
	140: parameters.permit(*keys)
	(byebug) n

	[135, 144] in ...gems/devise-83213569dd77/lib/devise/parameter_sanitizer.rb
	135: def default_params
	136: @params.fetch(@resource_name, {})
	137: end
	138:
	139: def permit_keys(parameters, keys)
	=> 140: parameters.permit(*keys)
	141: end
	142:
	143: def extract_auth_keys(klass)
	144: auth_keys = klass.authentication_keys
	(byebug) keys
	[:email, :password, :password_confirmation]
	(byebug) parameters
	<ActionController::Parameters {} permitted: false>
	(byebug) default_params
	<ActionController::Parameters {} permitted: false>
	(byebug) @resource_name
	:api_v1_user
	```

	8. So the conclusion is that the @resource_name of the input is based on your controller class namespace, not just your devise resource name.
	Therefore, please make sure your resource name is correct when you pass parameters into Devise controller.