Reputation: 21
ActionController::InvalidAuthenticityToken in Rails 5 with post only
I have a simple application and I'm using Rails 5.0.0.1 (the app is called simpletest - it's as simple as I can make it) in order to figure some stuff out in Rails 5. I'm getting a weird error.
Here's config/routes.rb
Rails.application.routes.draw do
root "foo#bar"
get "dobaz" => "foo#bar"
match "dobaz" => "foo#baz", via: :post
end
Here's app/controllers/foo_controller.rb
class FooController < ApplicationController
def baz
if session[:qux].nil? || params[:reset] == "true"
session[:qux] = 0
else
session[:qux] += 1
end
@qux = session[:qux]
@format = request.format
render 'bar'
end
end
And here's apps/views/foo/bar.html.erb
<p>Qux: <%= @qux %></p>
<p>Format: <%= @format %></p>
<form action="/dobaz" method="post">
<p>Reset:
<input type="radio" name="reset" value="true">True</input>
<input type="radio" name="reset" value="false">False</input>
<input type="submit"/>
</form>
I'm not using any authentication or login or anything else. I am (obviously) using the session.
When I try to actually execute the app, I get the following error on an exception page:
ActionController::InvalidAuthenticityToken in FooController#baz
I've checked a bunch of answers. I do have <%= csrf_meta_tags %> in apps/views/layouts/application.html.erb.
This only happens with post. With get, it works fine. However, I need to use post.
Further, there is a solution, but it doesn't make sense to me. I can add the following code to the top of my controller, which (if I understand it properly) should reset the session if the format is json, and suddenly it works:
protect_from_forgery with: :reset_session, if: ->{request.format.json?}
but the format is text/html! Also, the session isn't being reset (as I can tell via session[:qux]. Why would this have any effect? If I just use:
protect_from_forgery with: :reset_session
it works, but of course it resets the session. Using :null_session in place of :reset_session has the same effect (both with and without the if).
I've done nothing special. Other than adding code, all I've done is:
rails new simpletest
[copied over Gemfile]
bundle install
rails generate controller foo bar
I'm running ruby 2.3.0p0 (2015-12-25 revision 53290) [x86_64-linux] on Debian 8.
Upvotes: 2
Views: 2464
Answers (2)
Reputation: 2539
As jphager2 mentioned this is an issue caused by Rails' protection against CSRF(Cross Site Request Forgery) when using input forms and can be easily solved by using a form helper instead of a simple HTML form.
You can see Faisal's great answer on this topic here -> Understanding the Rails Authenticity Token
Upvotes: 1
Reputation:
The problem is that you need to use a form helper which will automatically set up a hidden input for authenticty_token.
In you view you can just use form_tag (which is the simplest helper of this type)
<!-- in app/views/foo/bar.html.erb -->
<%= form_tag "/dobaz" do %>
<p>Reset:
<input type="radio" name="reset" value="true">True</input>
<input type="radio" name="reset" value="false">False</input>
<input type="submit"/>
<% end %>
Upvotes: 2
Related Questions
- Rails 5.0.0beta3: ActionController::InvalidAuthenticityToken in development
- Rails 5.2 ActionController::InvalidAuthenticityToken
- ActionController::InvalidAuthenticityToken at login using NGINX and Rails
- Rails 6 - constant ActionController::InvalidAuthenticityToken
- Rails 5.2 some controller actions gives InvalidAuthenticityToken
- random ActionController::InvalidAuthenticityToken in my rails app
- ActionController::InvalidAuthenticityToken in Rails 5
- Rails 5 InvalidAuthenticityToken, but token is present
- InvalidAuthenticityToken in post_via_redirect
- Why am I getting ActionController::InvalidAuthenticityToken with every post of my form?