Rails 4 Authenticity Token

Question

I was working on a new Rails 4 app  on Ruby 2 0 0-p0  when I ran into some authenticity token problems   While writing a controller that responds to json  using the respond to class method   I got to the create action I started getting ActionController  InvalidAuthenticityToken exceptions when I tried to create a record using curl   I made sure I set -H  Content-Type  application json  and I set the data with -d   lt my data here gt   but still no luck   I tried writing the same controller using Rails 3 2  on Ruby 1 9 3  and I got no authenticity token problems whatsoever  I searched around and I saw that there were some changes with authenticity tokens in Rails 4  From what I understand  they are no longer automatically inserted in forms anymore  I suppose this is somehow affecting non-HTML content types   Is there any way to get around this without having to request a HTML form  snatching the authenticity token  then making another request with that token  Or am I completely missing something that s completely obvious   Edit  I just tried creating a new record in a new Rails 4 app using a scaffold without changing anything and I m running into the same problem so I guess it s not something I did

User · Accepted Answer

I think I just figured it out  I changed the  new  default  protect from forgery with   exception   to  protect from forgery with   null session   as per the comment in ApplicationController     Prevent CSRF attacks by raising an exception    For APIs  you may want to use  null session instead    You can see the difference by looking at the source for request forgery protecton rb  or  more specifically  the following lines   In Rails 3 2     This is the method that defines the application behavior when a request is found to be unverified    By default   Rails resets the session when it finds an unverified request  def handle unverified request   reset session end   In Rails 4   def handle unverified request   forgery protection strategy new self  handle unverified request end   Which will call the following   def handle unverified request   raise ActionController  InvalidAuthenticityToken end

User · Answer

Came across the same problem  Fixed it by adding to my controller         skip before filter  verify authenticity token  if   json request

User · Answer

Adding the following line into the form worked for me    lt    hidden field tag  authenticity token  form authenticity token   gt

User · Answer

Add authenticity token  true to the form tag

User · Answer

This is a security feature in Rails  Add this line of code in the form    lt    hidden field tag  authenticity token  form authenticity token   gt    Documentation can be found here  http   api rubyonrails org classes ActionController RequestForgeryProtection html

User · Answer

I don t think it s good to generally turn off CSRF protection as long as you don t exclusively implement an API   When looking at the Rails 4 API documentation for ActionController I found that you can turn off forgery protection on a per controller or per method base   For example to turn off CSRF protection for methods you can use  class FooController  lt  ApplicationController   protect from forgery except   index

User · Answer

These features were added for security and forgery protection purposes  However  to answer your question  here are some inputs  You can add these lines after your the controller name   Like so   class NameController  lt  ApplicationController     skip before action  verify authenticity token   Here are some lines for different versions of rails   Rails 3     skip before filter  verify authenticity token   Rails 4      skip before action  verify authenticity token    Should you intend to disable this security feature for all controller routines  you can change the value of protect from forgery to  null session on your application controller rb file   Like so   class ApplicationController  lt  ActionController  Base   protect from forgery with   null session end

User · Answer

When you define you own html form then you have to include authentication token string  that should be sent to controller for security reasons  If you use rails form helper to generate the authenticity token is added to form as follow    lt form accept-charset  UTF-8  action   login signin  method  post  gt     lt div style  display none  gt       lt input name  utf8  type  hidden  value   amp  x2713     gt       lt input name  authenticity token  type  hidden  value  x37DrAAwyIIb7s w2 AdoCR8cAJIpQhIetKRrPgG5VA   gt     lt  div gt           lt  form gt    So the solution to the problem is either to add authenticity token field or use rails form helpers rather then compromising security etc

User · Answer

If you re using jQuery with rails  be wary of allowing entry to methods without verifying the authenticity token   jquery-ujs can manage the tokens for you  You should have it already as part of the jquery-rails gem  but you might need to include it in application js with       require jquery ujs   That s all you need - your ajax call should now work  For more information  see  https   github com rails jquery-ujs

User · Answer

Instead of turn off the csrf protection  it s better to add the following line of code into the form   lt    tag  input   type   gt   hidden    name   gt  request forgery protection token to s   value   gt  form authenticity token    gt     and if you re using form for or form tag to generate the form  then it will automatically add the above line of code in the form

User · Answer

This official doc - talks about how to turn off forgery protection for api properly http   api rubyonrails org classes ActionController RequestForgeryProtection html

User · Answer

All my tests were working fine  But for some reason I had set my environment variable to non-test   export RAILS ENV something non test   I forgot to unset this variable because of which I started getting ActionController  InvalidAuthenticityToken exception    After unsetting  RAILS ENV  my tests started working again

User · Answer

Did you try     protect from forgery with   null session  if  Proc new   c  c request format json

[ruby-on-rails] Rails 4 Authenticity Token

Examples related to ruby-on-rails

Examples related to ruby

Examples related to ruby-on-rails-4

Examples related to authenticity-token