Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Rails 4 Ajax request with no authenticity token

I am sending some very simple ajax post and patch requests via javascript in my application. The functionality is fine, works as intended. However, I do not see the authenticity token in the ajax request params and it still works.

javascript (jQuery)

$.ajax({
  type:'PATCH', 
  url: '/dashboard/goals/#{@goal.id}.js', 
  data: $.param({ 
    new_invitation: { 
      recipient_id: recId, 
      type: "GoalInvite", 
      user_id : #{current_user.id}
    }
  })
}); 

and the params appear as follows in the log -

Parameters: {"new_invitation"=>{"recipient_id"=>"24", "type"=>"GoalInvite", "user_id"=>"23"}, "id"=>"234"}

no authenticity token. I think I know how I could add it in, but I am surprised that it even works without it. Can anyone shed some light on this?

like image 432
Matt Ramirez Avatar asked Jun 18 '14 13:06

Matt Ramirez


1 Answers

If you inspect the request object you'll (hopefully) see that there's a request header named HTTP_X_CSRF_TOKEN that contains the authenticity token. The jquery_ujs library takes care of this for you so you dont have to include the token in AJAX requests manually.

like image 183
Arctodus Avatar answered Oct 10 '22 16:10

Arctodus