ruby on rails json rest api csrf token

Question

I'm confused about the csrf token and these kind of stuffs..

I googled that

skip_before_action :verify_authenticity_token

this will skip the csrf issues for restapi

so i made a code like this in application_controller.rb

skip_before_action :verify_authenticity_token, :if => :json_request?
def json_request?
    request.format.json?
end

but my question is, is this all really all done? isn't this csrf token is for security protect? can i just skip this critical feature?

Answer 1

In my case I use:

class ApplicationController < ActionController::Base
  protect_from_forgery unless: -> {request.format.json?}
end

I used this in a project where there are no users or any other sensitive data, so there is no need to use auth tokens. But if you manage sensitive data you should use Auth tokens somehow (JWT, X-Auth-Token, etc).

Answer 2

You can just add a subclass of ApplicationController and overwrite the protect_from_forgery method like so:

class API::V1::BaseController < ApplicationController
  protect_from_forgery with: :null_session

  respond_to :json

end

And then make your api controllers inherit from this one!

Check out APIs on Rails tutorial, it might help

Answer 3

Typically, people create a subcontroller of application controller to handle the API. Then API controllers subclass the API controller, and you can turn off csrf protection for only those controllers.

If you're building a real API, one that other people can use to get and post data, then you'd have some other means of authenticating that those users have permissions to either read, write, or both.

But if the API is just serving requests from your own html/javascript app, then you can simply include the csrf token with the ajax calls. WARNING: Can't verify CSRF token authenticity rails