Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rails 5.0.0beta3: ActionController::InvalidAuthenticityToken in development

Tags:

ruby-on-rails

ruby-on-rails-5

csrf-protection

actioncontroller

I have just started a simple app with a couple of forms on Rails 5.0.0beta3.

In development, using http://localhost:3000 on Safari or Chrome to access the app, if I fill a form and submit it I always get an ActionController::InvalidAuthenticityToken error. However, if I reload the page before filling and submitting it then it works fine.

The app uses the defaults:

  • protect_from_forgery with: :exception in ApplicationController,
  • <%= csrf_meta_tags %> in html header through application layout,
  • development environment as created by rails.

Example:

<%= form_for @node, url: admin_book_nodes_url, as: :node do |form| %>
  <%= render "form", f: form %>
  <p><%= form.submit %> or <%= link_to "Cancel", admin_book_nodes_path %></p>
<% end %>

Log:

Started POST "/admin/book/nodes" for ::1 at 2016-03-20 11:54:31 +0000
Processing by Admin::Book::NodesController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"/G5pF6hSPx0Vf21Fi0FCh+VlOcHY4w8C5lmHmwr3NQRjfXUP9/xboybeV3tevmyTyHcwSX8LplU/HgZVGDbGlw==", "node"=>{"parent_id"=>"1", "position"=>"1", "title"=>"lkjlkj", "description"=>"lkjlj", "published"=>"0", "content"=>"lkjlkj"}, "commit"=>"Create node"}
Can't verify CSRF token authenticity
Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms)

It works fine if I disable per form CSRF tokens in the controller (self.per_form_csrf_tokens = false) so my issue is really at that level.

The session does not seem to be reset at any point.

Interestingly, when the form is first loaded, the authenticity token in the header's menage tag is different from the token in the form. The meta tag is also at the bottom of the header's tags. When I then reload the tokens are the same in both the meta tag and the form, and the meta tag is at the top of the header's tags.

Update:

I think that the issue is down to Turbolinks.

When the form page is accessed from another page in the app, an XHR request is fired by Turbolinks, and I encounter the issue.

However, when I reload the page the browser reloads it and I don't see the issue.

like image 230
spicyhotpot Avatar asked Mar 20 '16 11:03

spicyhotpot

1 Answers

I have raised an issue on Rails.

After further investigation it seems that the issue is due to option :url in form_for.

See: Issue #24257 (not resolved yet)

like image 156
spicyhotpot Avatar answered Nov 08 '22 06:11

spicyhotpot
Sign in to Comment

Related questions

You are trying to install in deployment mode after changing your Gemfile
Check for the existing of a header attribute in rails before invoking an action
How can I make 'bundle init' include gems by default?
Bootstrap: Hovering over button with custom color not changing styling
How to handle urls in emails with apartment gem
what's the difference between public/assets and app/assets in rails?
Rails :method=>:patch doesn't work
can not access local rails server
Passing variable into block - Rails [duplicate]
How to undo bundle install --deployment?
Rails 4 - which is preferable PATCH or POST for updates
Rails + Elastic Beanstalk + Passenger: change Passenger configuration
How to use `root_url` in the ActiveModel::Serializer?
Use Octokit to retrieve private repositories from organizations
While installing http_parser.rb ERROR: Failed to build gem native extension
Adding Google Analytics to Rails 4.2 app
Rails attempting to throttle my API with rack-attack. Unsure if it's working?
How to generate a model with has_one contraint
How to call an active_model_serializer to serialize records explicitly
Add values to Ruby JSON Object

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!