Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rails CSRF token authenticity on Incoming external POST Requests

Tags:

authentication

ruby

ruby-on-rails

fiware

fiware-orion

My rails application subscribes to an external system POST notifications (named Orion context broker). I manage sending json data & process response (ruby->Orion).

But when a notification request comes in I get the InvalidAuthenticityToken Error Can't verify CSRF token authenticity WARNING. 

I, [2015-12-03T16:56:53.215991 #22189]  INFO -- : Started POST "/machine/listen" for 127.0.0.1 at 2015-12-03 16:56:53 +0000
I, [2015-12-03T16:56:53.221524 #22189]  INFO -- : Processing by MachineController#listen as XML
I, [2015-12-03T16:56:53.221762 #22189]  INFO -- :   Parameters: {"subscriptionId"=>"5660745482ef938cd5055ae3", "originator"=>"localhost", "contextResponses"=>[{"contextElement"=>{"type"=>"Printer", "isPattern"=>"false", "id"=>"UM1", "attributes"=>[{"name"=>"temperature", "type"=>"float", "value"=>"110"}]}, "statusCode"=>{"code"=>"200", "reasonPhrase"=>"OK"}}], "machine"=>{"subscriptionId"=>"5660745482ef938cd5055ae3", "originator"=>"localhost", "contextResponses"=>[{"contextElement"=>{"type"=>"Printer", "isPattern"=>"false", "id"=>"UM1", "attributes"=>[{"name"=>"temperature", "type"=>"float", "value"=>"110"}]}, "statusCode"=>{"code"=>"200", "reasonPhrase"=>"OK"}}]}}
W, [2015-12-03T16:56:53.223637 #22189]  WARN -- : Can't verify CSRF token authenticity
I, [2015-12-03T16:56:53.224191 #22189]  INFO -- : Completed 422 Unprocessable Entity in 2ms (ActiveRecord: 0.0ms)
F, [2015-12-03T16:56:53.225189 #22189] FATAL -- : 
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

I understand that the message that is sent back (Orion->ruby) does not contain the proper Security Token.

Maybe I could disable protect_from_forgery but definitly looking for one way to manage authentification between those different services.

Thanks

like image 241
jbheren Avatar asked Nov 26 '25 06:11

jbheren

1 Answers

It's ok to disable CSRF protection if you know what are you doing! Just make sure you don't disable it for your whole website

Use something like skip_before_action :verify_authenticity_token in the controller that recives those post request.

like image 167
Damiano Stoffie Avatar answered Nov 28 '25 20:11

Damiano Stoffie
Sign in to Comment

Related questions

What happens after a request to backend is cancelled by the client on Ruby on Rails?
friendly_id slug is not generating on create
Referring to Rails from the Unicorn config file
How to calculate users response rate and time
bcrypt-ruby - You don't have bcrypt-ruby installed in your application
When starting rails server "Uncaught exception: no acceptor (port is in use or requires root privileges)"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!