I was working on a new Rails 4 app (on Ruby 2.0.0-p0) when I ran into some authenticity token problems.
While writing a controller that responds to json (using the respond_to
class method), I got to the create
action I started getting ActionController::InvalidAuthenticityToken
exceptions when I tried to create a record using curl
.
I made sure I set -H "Content-Type: application/json"
and I set the data with -d "<my data here>"
but still no luck.
I tried writing the same controller using Rails 3.2 (on Ruby 1.9.3) and I got no authenticity token problems whatsoever. I searched around and I saw that there were some changes with authenticity tokens in Rails 4. From what I understand, they are no longer automatically inserted in forms anymore? I suppose this is somehow affecting non-HTML content types.
Is there any way to get around this without having to request a HTML form, snatching the authenticity token, then making another request with that token? Or am I completely missing something that's completely obvious?
Edit: I just tried creating a new record in a new Rails 4 app using a scaffold without changing anything and I'm running into the same problem so I guess it's not something I did.
All my tests were working fine. But for some reason I had set my environment variable to non-test:
I forgot to unset this variable because of which I started getting
ActionController::InvalidAuthenticityToken
exception.After unsetting
$RAILS_ENV
, my tests started working again.Came across the same problem. Fixed it by adding to my controller:
Adding the following line into the form worked for me:
I don't think it's good to generally turn off CSRF protection as long as you don't exclusively implement an API.
When looking at the Rails 4 API documentation for ActionController I found that you can turn off forgery protection on a per controller or per method base.
For example to turn off CSRF protection for methods you can use
Did you try?
When you define you own html form then you have to include authentication token string ,that should be sent to controller for security reasons. If you use rails form helper to generate the authenticity token is added to form as follow.
So the solution to the problem is either to add authenticity_token field or use rails form helpers rather then compromising security etc.