Reputation: 17
How to post authenticity_token?
Now I use arduino sending data to rails in json format. But how to get authenticity_token and send it to rails? Where it should be written ? In json or http header? What the format should be?
If I add
protect_from_forgery :exception => :create
In the controllers it works fine.But I do not want do disable the CSRF protection. This is my arduino code:
client.println("POST /players.json HTTP/1.1");
client.println("Host: 192.168.1.3:3000");
client.println("User-Agent: Arduino/1.0");
client.println("csrf-param: authenticity_token");
client.println("csrf-token: V4gTh8yNdz9VMybUXkI6tHxzAHdfk3I+UoiXhxZWK0bkoh8iG5hVJ5sZOjzMAYLlwCwsXQQM102b1hF6TVyYJw==");
client.println("Connection: close");
client.println(lengthInfo);
client.println("Content-Type: application/json");
client.println();
root.printTo(client);
root.printTo(client) just send son.
I found a similar question:
HTTP request to update rails model from arduino
@Okomikeruko Do you figure out how to send an authenticity token from Arduino?
Upvotes: 0
Views: 1502
Answers (1)
Reputation: 2498
The authenticity token is a security check for session-based authentication strategies. What it basically does is checking that the user that fills a webform is the same user that was logged in (and avoid XSS attacks).
However, in my opinion this authentication strategy is not the best options for public APIs. In your case I would do one of the following:
Session based authentication. The first API request should be a POST request to the users controller. If this request is successful, the response should return a session cookie that you can use to authenticate your following requests (until the session is over).
Token based authentication. You can create a unique random n-char string (maybe 80 chars?) which would be the secret api key for each user. After that, each API request should include this key as a parameter in order to say the controller "It's me".
Please note that the controllers you will use in your API queries are different from the ones you use in your web navigation. In my projects I usually have a folder "app/controllers/v1" to store the controllers used in the first version of my API
Upvotes: 1
Related Questions
- How to use the `authenticate_or_request_with_http_token` method
- Invalid Authenticity Token on Post
- Rails POST Request Invalid Token Authority
- Invalid authenticity token in Rails
- Rails 4 Authenticity Token
- How do I add a token to my request in Rails 4?
- Invalid authenticity token when POSTing to a Rails API
- Why is Rails the authenticity token the only param that my app is passing?
- Rails - Work Around Authenticity Token
- How can I include the authenticity_token without using form_for?