Invalid Authenticity Token on Post

Question

I am using devise to sign up/in.

routes

get 'profile' => 'profile#get_profile'
post 'profile' => 'profile#create_profile'

and profile_controller

def get_profile
    render json: {user: current_user}, status: :ok
end

def create_profile
    render json: {user: current_user}, status: :ok
end

GET: http://localhost:3000/user/profile returns the expected output. However,

POST request throws an error saying:

ActionController::InvalidAuthenticityToken in User::ProfileController#create_profile.

Please demystify this behavior.

Possible duplicate of [ActionController::InvalidAuthenticityToken](http://stackoverflow.com/questions/3364492/actioncontrollerinvalidauthenticitytoken) — NickGnd, Dec 13 '15 at 14:28

NickGnd · Accepted Answer · 2015-12-13T20:03:12.827

To disable CSRF protection you can edit your ApplicationControllerlike this:

class ApplicationController < ActionController::Base
  protect_from_forgery with: :null_session

  # ...
end

or disable the CSRF protection for specific controller:

class ProfilesController < ApplicationController
  skip_before_action :verify_authenticity_token

  # ...
end

:null_session strategy empties the session instead of raising an exception which is perfect for an API. Because the session is empty, you can't use current_user method or othes helpers that refer to the session.

IMPORTANT:

protect_from_forgery with: :null_session must be used only in specific cases, for example to allow API request (POST/PUT/PATCH/DELETE) without html form
With protect_from_forgery with: :null_session you must restrict access to your data with an authorization system because every one could do request against your API endpoint
Don't remove protect_from_forgery with: :exception for requests that are done through html form, is dangerous! (read here http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf)

To handle both standard requests (through html form) and API requests generally you have to set up two different controller for the same resource. Example:

Routes

Rails.application.routes.draw do
  resources :profiles

  namespace :api do
    namespace :v1 do
      resources :profiles
    end
  end

end

ApplicationController

# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :exception
end

ProfilesController

(standard controller for html requests)

# app/controllers/profiles_controller.rb
class ProfilesController < ApplicationController

  # POST yoursites.com/profiles
  def create
  end
end

Api::V1::ProfilesController

(controller for API requests)

# app/controllers/api/v1/profiles_controller.rb
module Api
  module V1
    class ProfilesController < ApplicationController
      # To allow only json request
      protect_from_forgery with: :null_session, if: Proc.new {|c| c.request.format.json? }

      # POST yoursites.com/api/v1/profiles
      def create
      end
    end
  end
end

refereces: http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-protect_from_forgery

I have disabled CSRF protection for now. When did protect_from_forgery with: :null_session I was unable get current_user from session. — Imran Ahmad, Dec 13 '15 at 15:34
@Emmy `protect_from_forgery with: :null_session` provides an empty session during every request, or rather, you can't use `current_user` method or helpers that refer to the `session`, because it's empty. I edited my answer to try to explain better the different cases. — NickGnd, Dec 13 '15 at 19:32
@Imran as NickGnd has outlined, and which I think needs to be highlighted: YOU NEED TO HAVE an authorisation and authorisation in place to ensure that rogue API post requests cannot do any damage to your app. — BenKoshy, Jun 29 '18 at 05:58

score 5 · Answer 2 · answered Dec 13 '15 at 13:10

5

Get requests don't have an authenticity token.

You will have to add the request forgery stuff to your forms using this

<%= csrf_meta_tag %>

And address via javascript

$('meta[name="csrf-token"]')

answered Dec 13 '15 at 13:10

Austio

5,939
20
34

I have not created any form yet, I am doing the back end side only rendering the json output in browser. – Imran Ahmad Dec 13 '15 at 13:20
I got it whatever you said but is there another way to fix it because I don't have frontend part. – Imran Ahmad Dec 13 '15 at 13:33

score -3 · Answer 3 · answered Dec 13 '15 at 14:13

-3

In ApplicationController (or another controller your controllers inherit from) there's a line:

protect_from_forgery with: :exception

Remove it and CSRF checks will be disabled.

answered Dec 13 '15 at 14:13

Jeiwan

954
6
13

2

Don't do this. Its there for a reason. You will open the app up to CSRF attacks. – Greg Blass May 18 '17 at 11:41
3

@gregblass how is the null_session different from removing the protect_from_forgery line altogether? – BenKoshy Jun 29 '18 at 05:56

Invalid Authenticity Token on Post

3 Answers3

Routes

ApplicationController

ProfilesController

Api::V1::ProfilesController