Devise redirects to root after I redirect to sign_in
I'm trying to add a new login condition to an app that uses Devise.
If a request comes from an IP that's not on my whitelist, I want to prevent the login and redirect back to the sign_in page with a flash message explaining that the login was from an outside IP.
The redirect works, but flash message that I set doesn't make it back to the sign_in page. I think this is because Devise is mysteriously adding another redirect in the redirect chain (which would kill the flash message because the flash message is only good for one request).
Here's what I'm doing: I check if the request ip is in my whitelist. If it isn't, I redirect to /users/sign_in and set the flash notice to show why the user can't login.
This is where I get lost... After the redirect to /users/sign_in occurs, the user mysteriously gets redirected to / which in turn redirects back to /users/sign_in.
That last redirect back to the sign_in page is one that we've defined ourselves for if the user isn't logged in. But the redirect back to the root URL is tripping me up. I haven't overridden the new action in the sessions_controller (which is where this mysterious redirect occurs...), so this is all Devise logic as far as I can tell.
Does anyone have a guess at what's going on, is there a devise config that would cause that redirect, or is there another way I should approach this whole thing?
In my sessions_controller
class SessionsController < Devise::SessionsController def create unless ip_whitelist.include?(request.remote_ip) redirect_to '/users/sign_in', :notice => "Cannot log in from this IP address." return end ... end end
Per the Devise wiki, you could add an additional 'validation' for the user by adding an active_for_authentication method to your user model. Otherwise, the devise_for routing method does accept a :constraints option just like regular Rails routing constraints. Pack your whitelist logic into a class that responds to matches? and you should be good.