Get authenticity_token from Rails

Question

I've some authentication in Ruby (from this tutorial - this use gem "bcrypt-ruby", :require => "bcrypt" and I need write authenticity_token into json file. How i can get it and create this file?

Update: I've written:

  json.array!(@session) do |session|
      json.extract! session, :csrf-token
      json.url tag_url(session, format: :json)
    end

But it doesn't work. I need write from html

<meta content="authenticity_token" name="csrf-param" /> <meta content="74Mhbpn9FF/tY/cgfuVmX7ribN4rOkkdUjSgbLNsces=" name="csrf-token" />

This value: 74Mhbpn9FF/tY/cgfuVmX7ribN4rOkkdUjSgbLNsces=

This is my session_controller:

class SessionsController < ApplicationController
  def new
end

def index
  @session
end

def create
  user = User.authenticate(params[:email], params[:password])
  if user
    session[:user_id] = user.id
    redirect_to root_url, :notice => "Logged in!"
  else
    flash.now.alert = "Invalid email or password"
    render "new"
  end
end

def destroy
  session[:user_id] = nil
  redirect_to root_url, :notice => "Logged out!"
end
end

What did you try. Can you elaborate your question and put some code in that you've tried? — Manoj Monga, Apr 02 '14 at 19:43
but a don't know hot to start and where i can find some info about varialble which have this value — henio180, Apr 02 '14 at 19:47
I have now {"url":"...sessions/%23%3CActionDispatch::Request::Session:0x007f6de02e1968%3E.j‌son"} and how can I read auth key? — henio180, Apr 06 '14 at 18:57

score 6 · Accepted Answer · answered Apr 02 '14 at 20:25

6

There's a view helper called form_authenticity_token which accesses or assigns the token like this

def form_authenticity_token
  session[:_csrf_token] ||= SecureRandom.base64(32)
end

To grab it in your controller use session[:_csrf_token]

answered Apr 02 '14 at 20:25

fabianfetik

764
4
9

I'm not sure where the quoted code about extracting the authenticity token is being used in your application, how it's supposed to be used or what you are trying to achieve with this. can you elaborate? as a sidenote, i hope this is just for education. for serious applications you should never try and roll your own authentification code unless you really know what you are doing and the solutions out there don't fit your needs. instead you should rely on heavily crowd-tested solutions like [devise](https://github.com/plataformatec/devise) instead which are in use by thousands of applications – fabianfetik Apr 02 '14 at 20:36
I need log in this application with android application so I need this token. – henio180 Apr 02 '14 at 20:39
We use this token to prevent the **Cross-site request forgery** so that no other application be able to post data to our server. If you really want to let other application post data to your application then you can either remove `protect_from_forgery` from `ApplicationController` or use some other authentication strategy. For your reference you can go through http://stackoverflow.com/questions/247110/looking-for-suggestions-for-building-a-secure-rest-api-within-ruby-on-rails/250308#250308 – Manoj Monga Apr 02 '14 at 21:42
I have now {"url":"...sessions/%23%3CActionDispatch::Request::Session:0x007f6de02e1968%3E.json"} and how can I read auth key? – henio180 Apr 06 '14 at 18:55

Get authenticity_token from Rails

1 Answers1