I can’t seem to get a user logged into our admin panel after upgrading our app from Rails 2.3.x to Rails 3.1.3. I’m using the latest version of Devise, which at the time of this post is v1.5.3.

A POST to the session#create route returns a 401 response (and all the params look like they’re going in properly); it happens when Warden tries to auth the user using one of Devise’s strategies (:database_authenticatable). Here’s my user model.

class User < ActiveRecord::Base
  devise :database_authenticatable, :validatable
  attr_accessible :email, :password, :password_confirmation
end

I’ve got an overridden Devise::SessionsController in my :admin namespace (the logins are for admins only, and they’ve got their own site layout, thus the override). There’s nothing special in the controller, really, other than the layout:

class Admin::SessionsController < ::Devise::SessionsController
  layout "admin"
end

I do have slightly customized routes, and here’s the code that I’ve got for that.

devise_for :users, :controllers => { :sessions => 'admin/sessions' }

I have the csrf_meta_tag bit in my layout’s headers, and my ApplicationController has the protect_from_forgery line in it. The form’s errors are empty when it comes back to re-render the page.

I’ve stepped through the code (all the way into lib/warden/proxy.rb), and Warden doesn’t seem to think the :database_authenticatable strategy I’m using is valid (Warden’s source code for that part). The user is a valid user… I’ve created it via an Rails rails console IRB session, from scratch, with a valid password and everything. I would hope it should recognize that as valid, right? Or am I even barking up the right tree?