Devise: subdomain redirect after login

354 Views Asked by At

I am using Devise and ActsAsTenant for a multi-tenant saas rails 7 app and am having trouble redirecting users to the correct subdomain after login with Device.

Each User is associated with an Account that has a subdomain column. I have read through the documents for Devise and customized after_sign_in_path_for to route to the dashboard page after login. Whenever I try to add a subdomain to the redirect, I get an Unsafe redirect error.

Unsafe redirect to "", pass allow_other_host: true to redirect anyway.

My after_sign_in_path_for method

class ApplicationController < ActionController::Base

    def after_sign_in_path_for(resource)
        dashboard_url(subdomain: resource.account.subdomain)

I have tried to pass allow_other_host: true but I get a similar error

dashboard_url(subdomain: resource.account.subdomain, allow_other_host: true)

Unsafe redirect to "", pass allow_other_host: true to redirect anyway.

Looking at other code and example I think I have to write it like this

redirect_to dashboard_url(subdomain: current_user.account.subdomain), allow_other_host: true

but then I get a Render and/or redirect were called multiple times in this action error.

I also tried modifying the create method for SessionsController and bypassing the after_sign_in_path_for completely but I still get the same Unsafe Redirect error.

class SessionsController < Devise::SessionsController
    def create
        self.resource = warden.authenticate!(auth_options)
        set_flash_message!(:notice, :signed_in)
        sign_in(resource_name, resource)
        yield resource if block_given?
        respond_to do |format|
          format.html do
            redirect_to dashboard_url(subdomain: current_user.account.subdomain), only_path: false, allow_other_host: true

My Routes:

devise_for :users, path: '', path_names: {
    sign_in: 'login',
    sign_out: 'logout'
  }, controllers: {
    sessions: 'sessions'
get 'dashboard', to: 'static_pages#dashboard'
root to: "static_pages#index"

There are 1 best solutions below


You could disable the redirect protection, introduced on Rails 7.0

Rails.application.config.action_controller.raise_on_open_redirects = false

But before doing this, you should read about open redirect attacks