1

I'm trying to make an ajax call to communicate via 2 different apps

I am using localhost to host these apps, one in http://localhost:3000 and the other one in http://localhost:3001

in port 3000 I have devise setup with the basics

Here are the routes:

devise_for :users, controllers: { sessions: "users/sessions", registrations: "users/registrations" }

What I'm trying to do with the second app which is in port 3001, is to make an ajax post to sign in

here's the javascript:

$(function(){

    $('#sign_in_user').on('click', function(){

        var user = {
            user: {
                email: $('#sign_in_email').val(),
                password: $('#sign_in_password').val()
            }
        };

        $.ajax({
            type: 'POST',
            url: 'http://localhost:3000/users/sign_in',
            dataType: 'json',
            data: user,
            success: function(newSignin){
                console.log(newSignin);
            },
            error: function(){
                alert('error');
            }
        });
    });

});

but when it gets executed I get:

ActionController::InvalidAuthenticityToken at /users/sign_in

I've read a bit about the csrf meta tag, and beforeSend on the ajax call, but haven't been able to solve the issue.

What am I doing wrong here?

ps. I am using the gem 'rack-cors' to accept calls from other domains/apps.

Johhan Santana
  • 2,336
  • 5
  • 33
  • 61
  • have you added this line `protect_from_forgery with: :exception` in ApplicationController.? – Athar Jul 20 '15 at 18:29
  • it is for CSRF protection. in rails 4 when you create controller it adds by default. see this link for detail https://blog.nvisium.com/2014/09/understanding-protectfromforgery.html. u might need to change to this as well if error remain `protect_from_forgery with: :null_session` see this link http://stackoverflow.com/questions/16258911/rails-4-authenticity-token – Athar Jul 20 '15 at 18:42
  • okay change that to this one `protect_from_forgery with: :null_session` – Athar Jul 20 '15 at 18:42
  • @Athar , I tried changing it to `:null_session` and it let me do the post now, but I'm guessing that's not the right way to do it? – Johhan Santana Jul 20 '15 at 18:43
  • no. this is the right way.. please see this http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html this is from ActionController and null_session is valid option. see the last one. in latest rails. when you create project. in application controller. it tells you himself in these words: " # Prevent CSRF attacks by raising an exception. # For APIs, you may want to use :null_session instead. protect_from_forgery with: :exception" – Athar Jul 20 '15 at 18:47
  • Also, when I make the post, in this case Register an user, it will save the user in the database but it will give me the javascript alert in the ajax call instead of the `success` function – Johhan Santana Jul 20 '15 at 18:48
  • i would suggest you to read this: http://alexcoco.com/forgery-protection-strategy/ – Athar Jul 20 '15 at 18:49
  • is it not returning success.? – Athar Jul 20 '15 at 18:51
  • no it's not, but I'm guessing it's because devise is not returning an appropriate json response back, just html I think. – Johhan Santana Jul 20 '15 at 18:52
  • okay i dont think that is related to csrf token issue. please make sure about the request in controller how it is being received. – Athar Jul 20 '15 at 18:55

0 Answers0