Rails uses something called strong parameters. Devise whitelists certain params by default ("email", "password", "password_confirmation"), but you can modify these settings if you like.

What you're seeing isn't an error exactly, it's just that a field called session isn't getting thru to the sign_in controller.

What does the POST request payload look like? Your logs indicate that the payload looks like this:

{
  "email": "[email protected]",
  "password": "xxx",
  "session": {
    "email": "[email protected]",
    "password": "xxx"
  }
}

If this is the case, then it looks like a param called session is somehow being included in the request.

I suggest that you inspect the object that you're passing to $auth.submitLogin method to see if you're sending the correct data.

from ng-token-auth.

I'm using the example code:

controller/signinctrl.js

$scope.handleLoginBtnClick = function() {
  $auth.submitLogin($scope.loginForm)
    .then(function(resp) { 
      // handle success response
    })
    .catch(function(resp) { 
      // handle error response
    });
};

}]);

signin.html.haml

%form{"ng-init" => "loginForm = {}", "ng-submit" => "submitLogin(loginForm)", :role => "form"}
.form-group
.input-group.input-group-lg
%span.input-group-addon
%i.fa.fa-envelope
%input.form-control{:name => "email", "ng-model" => "loginForm.email", :required => "required", :type => "email"}/
.form-group
.input-group.input-group-lg
%span.input-group-addon
%i.fa.fa-lock
%input.form-control{:name => "password", "ng-model" => "loginForm.password", :required => "required", :type => "password"}/
.form-group
%button.btn.btn-danger.btn-lg.btn-block{:type => "submit"} Sign in

from ng-token-auth.

1. Those examples are for two different implementations. You don't need the controller example if you're calling submitLogin from the template.
2. What does the POST request payload look like? If you're using Chrome, you can find this in the Network panel in the developer tools. Instructions here.

from ng-token-auth.

@ACPK - it looks like this is happening in the example app as well.

I can't find the source of the session param. My guess is that it's set by one of the devise-token-auth dependencies (Devise, Warden, etc.). I did comb through the Devise source, but I couldn't find it anywhere.

While the warning is annoying, I don't think the session param is going to cause any problems.

I'm marking this issue closed, but feel free to re-open it (or send a PR) if you can solve the mystery.

from ng-token-auth.

Update: there's a workaround here:
lynndylanhurley/devise_token_auth#676

The "session" parameter is actually created by Rails (wrap_parameters)

from ng-token-auth.