1

I am developing an iOS app for a RoR api (my co-worker made it). I am trying to develop the login portion, but while testing the api in POSTMan, I noticed it requires a CSRF token. Is there a way to get around doing an api call to get the CSRF?

Side note: I am using AFNetworking 2.0

George L
  • 1,673
  • 2
  • 26
  • 39
  • Looks like this question seems similar to yours (I haven't delved too deeply). Does it help? http://stackoverflow.com/questions/7600347/rails-api-design-without-disabling-csrf-protection – Taryn East Jul 30 '14 at 00:48

2 Answers2

2

There are a couple things you can do:

  1. You can launch a GET request before you do the post, and retrieve the sessions CSRF token. Then submit the POST form with an authenticity_token parameter as the proper CSRF token. You can embed the original token anywhere in the view with the rails helper form_authenticity_token, or just get it from the sign up form's hidden tag. (This is my favorite option)
  2. You can make a secondary loggin-in action on your site that is actually a GET request in and of itself. It's not too dangerous to bypass the CRSF token here because anyone should have access to log in. This has the advantage of keeping CRSF for any other action you may need, but it wouldn't work for actions that need more security.
  3. You can make your iOS page consist of a UIWebView. I'm not sure if this will suit your needs, but it would have the proper CSRF token and you can remove the UIWebView after submitting. It's kind of like option 1, but bulkier.

Good luck!

Kites
  • 1,098
  • 9
  • 21
0

Easiest fix is to change the server side to not authenticate the CSRF token. Here's an example of using a different controller for your API.

class Api::BaseController < ApplicationController
  skip_before_filter :verify_authenticity_token
end

In general, your API is either going to require authentication for API calls (in which case you should have your own authentication, or OAuth, or any number of authentication mechanisms) or isn't (in which case it's a publicly accessible API and CSRF doesn't matter). There a few other threads here and here that discuss it.

From another answer on SO (go upvote it!):

CSRF attacks rely on cookies being implicitly sent with all requests to a particular domain. If your API endpoints do not allow cookie-based authentication, you should be good.
Community
  • 1
  • 1
Waynn Lue
  • 11,344
  • 8
  • 51
  • 76
  • Do not do this! It removes CSRF protection from your site. – Taryn East Jul 30 '14 at 00:46
  • 1
    I am not very good with RoR yet, but this seems like a bad idea down the line. – George L Jul 30 '14 at 00:46
  • I started searching for other responses about CSRF and APIs, and I came across this thread -- doesn't that apply here as well? http://stackoverflow.com/questions/10741339/do-csrf-attack-worries-apply-to-apis – Waynn Lue Jul 30 '14 at 00:48
  • @waynnlue good point with that comment. I will talk to the backend dev about best practices. – George L Jul 30 '14 at 00:50
  • @TarynEast Does that answer make sense? I assume you downvoted for that reason, but I feel like for APIs it's different for the reasons I stated. Let me know if you disagree. :) – Waynn Lue Jul 30 '14 at 02:56
  • If you have another API endpoint for API-only login, then you don't need to remove CSRF from the rest of the app... just from that endpoint. I'd still tread very carefully around removing csrf - even if you don't need it, you shouldn't need to remove it for your app to work. – Taryn East Jul 30 '14 at 05:08