4

I have my rails 3 app on heroku and when I send bank info I get: WARNING: Can't verify CSRF token authenticity but my CSRF token is set up. https://gist.github.com/anonymous/7081401

$.ajax({ url: '#{credit_cards_path}', 
type: 'POST',
beforeSend: function(xhr) {xhr.setRequestHeader('X-CSRF-Token', '#{form_authenticity_token}')},
dataType: "json",
data: { cc_uri: response.data.uri, 
        address: $('.address').val()
        // etc ...
      },
success: function(randomobject) {
  window.location = '/products/' + randomobject.value + '/receipt';
  }
});

heroku logs

829962+00:00 app[web.1]: Started POST "/products/2/card" for 100.2.109.97 at 2013-10-21 09:13:03 +0000
835379+00:00 app[web.1]: WARNING: Can't verify CSRF token authenticity
834929+00:00 app[web.1]: Processing by CreditcardsController#addcard as HTML
834929+00:00 app[web.1]: Parameters: {"state"=>"NY", "id"=>"2"}
604099+00:00 heroku[router]: at=info method=POST path=/products/2/card host=app.herokuapp.com fwd="100.2.109.97" dyno=web.1 connect=1ms service=1781ms status=500 bytes=643
604259+00:00 app[web.1]:
602739+00:00 app[web.1]: Completed 500 Internal Server Error in 1768ms
604259+00:00 app[web.1]: Balanced::BadRequest (Balanced::BadRequest(400)::Bad Request:: POST https://api.balancedpayments.com/v1/customers: request: Invalid field [card_uri] - "None" must be a string URI Your request id is OHMfe86f2883a3011e3980d02a1fe53e539. ):
Alain Goldman
  • 2,896
  • 5
  • 43
  • 75
  • Can you confirm that the value of `#{form_authenticity_token}` is being outputted correctly in the compiled javascript? – John Oct 21 '13 at 20:58
  • is that a compiled javascript? like an js.erb file? are you regenerating it for each request? – phoet Oct 21 '13 at 21:18
  • yes phoet this gets generated when i get a successfull callback from my payment api each time – Alain Goldman Oct 25 '13 at 08:26

1 Answers1

4

Might be to do with your use of #{form_authenticity_token}

According to this source WARNING: Can't verify CSRF token authenticity rails you should be able to use this code:

headers: {
  'X-Transaction': 'POST Example',
  'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content')
},
Community
  • 1
  • 1
Richard Peck
  • 76,116
  • 9
  • 93
  • 147
  • It's getting there, but there is another issue I can see. You're trying to include ruby variables in a .js file. Before trying my solution, try changing your `balanced.js` to `balanced.js.erb` and see what happens with your original code – Richard Peck Oct 25 '13 at 08:49
  • 1
    ahh solved it!! turns out my javascript wasn't actually getting to the browser i seemed to forgot to put in //=require myjs.js – Alain Goldman Oct 25 '13 at 09:17
  • 2
    lol! I always find people ask questions on SO, but their problem is actually not related to the thing they have the problem with! If you have any further requirements, please let me know! – Richard Peck Oct 25 '13 at 09:23