0

I have a create route with a Rails API. It works fine with postman. But it freezes with the actual site I'm building.

I think* I have handled csrf protection, but I DO see 'Can't verify CSRF token authenticity.' in the heroku log below. I have 'protect_from_forgery with: :null_session' in application controller.

I can't figure out what's going on. Here is the controller in full: 

class PostsController < ApplicationController
    # controls error handling 
    # rescue_from ActiveRecord::RecordInvalid, with: :render_unprocessable_entity_response
    rescue_from ActiveRecord::RecordNotFound, with: :render_not_found_response

    def index 
        @posts = Post.all
        render json: @posts, include: 'comments', status: 200
    end 

    def create 
        @post = Post.new(post_params)
        if @post.save
            render json: @post, status: 201
        else 
            render json: {status: "error", code: 400, message: "Not all required params were provided"}, status: 400
        end
    end 
   private 

    # defines the data in the post model
    def post_params
        params.permit(:content, :title)
    end

    def render_not_found_response(exception)
    render json: {
        message: "Validation Failed",
        errors: exception.message, 
        location: 'id'
    }, status: 422
    end 
end

Application controller: 

class ApplicationController < ActionController::Base
    # prevents csrf blocking
    protect_from_forgery with: :null_session
end

Here is the full error log from heroku: 

2018-04-26T22:38:30.591225+00:00 heroku[router]: at=info method=OPTIONS path="/posts" host=seabolt-rails-api.herokuapp.com request_id=b3fcf1fa-fc7f-4a7c-a9fe-d41af12d9bab fwd="73.71.195.204" dyno=web.1 connect=1ms service=2ms status=200 bytes=335 protocol=https
2018-04-26T22:38:30.702794+00:00 app[web.1]: I, [2018-04-26T22:38:30.701935 #4]  INFO -- : [c6c143d4-2846-40c2-b1fd-153defae6312] Processing by PostsController#create as */*
2018-04-26T22:38:30.691208+00:00 app[web.1]: I, [2018-04-26T22:38:30.690928 #4]  INFO -- : [c6c143d4-2846-40c2-b1fd-153defae6312] Started POST "/posts" for 73.71.195.204 at 2018-04-26 22:38:30 +0000
2018-04-26T22:38:30.702806+00:00 app[web.1]: I, [2018-04-26T22:38:30.702579 #4]  INFO -- : [c6c143d4-2846-40c2-b1fd-153defae6312]   Parameters: {"newPost"=>{"title"=>"sdfdsfsd", "content"=>"sfdfsdsfd"}, "post"=>{}}
2018-04-26T22:38:30.705007+00:00 app[web.1]: W, [2018-04-26T22:38:30.704875 #4]  WARN -- : [c6c143d4-2846-40c2-b1fd-153defae6312] Can't verify CSRF token authenticity.
2018-04-26T22:38:30.712141+00:00 app[web.1]: D, [2018-04-26T22:38:30.711967 #4] DEBUG -- : [c6c143d4-2846-40c2-b1fd-153defae6312]    (1.3ms)  BEGIN
2018-04-26T22:38:30.734534+00:00 app[web.1]: D, [2018-04-26T22:38:30.734374 #4] DEBUG -- : [c6c143d4-2846-40c2-b1fd-153defae6312]    (1.2ms)  ROLLBACK
2018-04-26T22:38:30.735886+00:00 app[web.1]: I, [2018-04-26T22:38:30.735792 #4]  INFO -- : [c6c143d4-2846-40c2-b1fd-153defae6312] Completed 400 Bad Request in 33ms (Views: 0.6ms | ActiveRecord: 2.6ms)
2018-04-26T22:38:30.737444+00:00 heroku[router]: at=info method=POST path="/posts" host=seabolt-rails-api.herokuapp.com request_id=c6c143d4-2846-40c2-b1fd-153defae6312 fwd="73.71.195.204" dyno=web.1 connect=1ms service=53ms status=400 bytes=613 protocol=https

I get this in my console, but it's my own error (and I think I need to change it because the reasoning seems to not be accurate: 

{status: "error", code: 400, message: "Not all required params were provided"}

Here is the redux-thunk action that initiates the request: 

export const createPost = newPost => dispatch => {
    console.log(newPost)
    return fetch(`https://seabolt-rails-api.herokuapp.com/posts `, {
        method: 'POST', 
        headers: {
            'content-type': 'application/json'
        }, 
        body: JSON.stringify({post: {newPost}})
    })
    .then(res => normalizeResponseErrors(res))
    .then(() => dispatch(getAllPosts()))
    .catch(err => console.error(err)); 
}

I'm not sure what to do. Help!

J Seabolt
  • 2,576
  • 5
  • 25
  • 57
  • Heya, can you add your form as well? cheers. – Taryn East Apr 26 '18 at 23:27
  • 1
    It's an API, so the form is through react. The data is being sent properly. – J Seabolt Apr 26 '18 at 23:30
  • I was mainly thinking of making sure that permit/require line up and having a look at how the csrf token was being added etc, but yeah it's harder to do that when it's react :) Generally I find that the majority of csrf problems are at the "adding the token to the form" end of things, rather than the backend. – Taryn East Apr 26 '18 at 23:32
  • 1
    Can you show us how you're making the request to your API? In most cases rails API needs CSRF to be fully disabled, but many folks believe that's a poor security practice. Check out this answer for some info on dealing with mixed API and browser/html rails 5 apps https://stackoverflow.com/questions/42795288/rails-5-api-protect-from-forgery – Zaksoup Apr 26 '18 at 23:33
  • I added it to the description. Kinda new with Rails APIs if that's not clear. Typically I use Node – J Seabolt Apr 26 '18 at 23:34

0 Answers0