9

I'm tinkering with Rails 6 and I am constantly getting ActionController::InvalidAuthenticityToken on forms generated by rails, such as (implementing the rails tutorial book register/login flow)

<%= form_for(@user, url: 'signup') do |f| %>
     <%= render 'partials/error_messages' %>
     <%= f.label :name, "Nimi" %>
     <%= f.text_field :name %>
     <%= f.label :email, "E-mail" %>
     <%= f.email_field :email %>
     <%= f.label :password, "Parool" %>
     <%= f.password_field :password %>
     <%= f.label :password_confirmation, "Korda parooli" %>
     <%= f.password_field :password_confirmation %>
     <%= f.submit "Loo konto", class: "button-green" %>
<% end %>

this happens on all forms, and the output dumps look like this

Dumps

application.html.erb

<!DOCTYPE html>
<html>
  <head>
    <title>Storebase - kaasaegsed e-poed!</title>
    <%= csrf_meta_tags %>
    <%= csp_meta_tag %>

    <%= javascript_pack_tag 'application', 'data-turbolinks-track': 'reload' %>
    <%= stylesheet_link_tag 'application', media: 'all', 'data-turbolinks-track': 'reload' %>
    <%= stylesheet_pack_tag 'application', 'data-turbolinks-track': 'reload' %>
  </head>

  <body class="bg-gray-100 text-gray-900">
    <% flash.each do |message_type, message| %>
      <div class="bg-blue-100 text-blue-500 flex items-center h-12 px-12 shadow-lg flash-<%= message_type %>"><%= message %></div>
    <% end %>

    <%= yield %>
    <%= debug(params) if Rails.env.development? %>
  </body>
</html>

What should I do?

Rando Hinn
  • 1,255
  • 19
  • 41
  • 1
    Can you share application.html.erb ? – Dipak Gupta Aug 20 '19 at 11:21
  • @DipakGupta added :) – Rando Hinn Aug 20 '19 at 11:24
  • 1
    @RandoHinn what about `skip_before_action :verify_authenticity_token, only:[:index, :show]` ? – cnnr Aug 20 '19 at 11:39
  • @cnnr How secure is this? ` skip_before_action :verify_authenticity_token, only:[:create]` does work, but wouldn't that open up my login to attacks? – Rando Hinn Aug 20 '19 at 17:03
  • @RandoHinn You should not to skip token verify for `create` action, because it's dangerous. Please add you controller with create action and `application_controller` too. – cnnr Aug 21 '19 at 07:28
  • @RandoHinn were you using a [custom controller](https://github.com/heartcombo/devise#configuring-controllers) with devise? (I also have the problems you describe and wonder if custom controllers could have something to do with it) – stevec Oct 06 '20 at 08:46

1 Answers1

3

Was seeing this in a controller that subclasses Devise to get after action hooks. It was only happening on :destroy actions for me. 

class MySessionsController < Devise::SessionsController
  after_action :after_login,  only: [:create]
  after_action :after_logout, only: [:destroy]

  private

  def after_login
  end

  def after_logout
  end

I don't see the risk in skipping authenticating on a destroy, so adding this line inside the controller fixed the issue for me: skip_before_action :verify_authenticity_token, only:[:destroy]. ¯_(ツ)_/¯

Is this a bug or feature introduced by the Rails6 upgrade? Is there a security risk that I'm not seeing by skipping? Any insights would be appreciated :)

davidpm4
  • 562
  • 1
  • 7
  • 22
  • 4
    I see no one answered, i'm facing the same problem trying to upgrade to Rails 6. Have you ever found an explanation regarding this problem? – Laurent Jan 06 '21 at 15:34