0

I've had a few instances where it appears that a user may go idle for quite some time and then may come back to a page with or without refreshing and upon submission of the form on the page, the user receives an HTTP 422 Invalid Authenticity Token error.

I understand what this error means but I am unsure how to properly handle the error. I don't want to remove the validation for the token in my controller. All of the other questions I have seen just talk about what the token is and not how to solve the issue.

Cannon Moyer
  • 3,014
  • 3
  • 31
  • 75

1 Answers1

0

You can inspect the element (use the developer tools) on the form to see if there is hidden input that holds the token. Otherwise you can manually add authenticity_token to the form helper e.g.

<%= form_for(@model, ... authenticity_token: true) do |f| %>

after that try to show the form to make sure you can see a hidden input authenticity_token already added to the form. I had same experience when using ajax and I implemented it this way: 

<%= form_for(@model, html: { multipart: true }, remote: local_assigns[:ajax_form], authenticity_token: true) do |f| %> or

<%= form_for(@model, html: { multipart: true }, remote: true, authenticity_token: true) do |f| %>
olucube.com
  • 330
  • 2
  • 11
  • So I do see the authenticity token in my meta tags but not embedded within my form. The token is NOT being submitted (I can see it in my rails console). I am submitting these forms with ajax. What would cause this to fail only 1% of the time? I would expect none of them to work. – Cannon Moyer Jan 10 '18 at 21:04
  • follow the step above and you will see it in your form as well, that will guarantee it. It could be ajax interacting with it. I hade same experience – olucube.com Jan 10 '18 at 21:09
  • Ok, I will give this a shot. It still doesn't make sense why I wouldn't at least be seeing the auth token in my logs from the request. – Cannon Moyer Jan 10 '18 at 21:21
  • if you Inspect the element on the form you would see it. Am also still researching what is taken the original authenticity_token away – olucube.com Jan 10 '18 at 21:24
  • So I added in the code you suggested and the authenticity token now renders as a hidden input in the form. However, I decided to change the value manually and rails still accepted the altered auth token that was submitted and did not throw any errors. I'm testing this in dev mode. – Cannon Moyer Jan 10 '18 at 22:20
  • yep, that's it. – olucube.com Jan 10 '18 at 22:38
  • Sounds like something is still wrong though. It's accepting invalid auth codes. When I do the same thing on a non ajax form the validation fails. – Cannon Moyer Jan 10 '18 at 22:41
  • Hum... mine did not fail though I have file upload in my form but I noticed the form was submitted without Ajax. To address that I installed remotipart gem. Learned this is a weakness in rails when dealing with ajax file upload. To fix it, I installed remotipart gem. Sorry, this comment is becoming extended and I don't know how we can move this discussion to chat – olucube.com Jan 10 '18 at 22:57
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/162940/discussion-between-olucube-and-cannon-moyer). – olucube.com Jan 10 '18 at 23:23