Rails adding an unpermitted param to requests on its own

Question

I've got a Vue app that's communicating with a Rails 6 API. I've noticed some weird behaviour in some of my endpoints where Rails receives some params that seemingly never actually get sent from the frontend, as if Rails is just kind of injecting them by itself. It's not a huge issue since these params ultimately just get rejected anyway and the permitted params work fine, but I'm curious as to what exactly is happening.

For example, my login method on the frontend will call the /authenticate endpoint with a JSON containing a username and password. As you can see in the screenshot below, that's the entire request payload that gets sent to Rails.

But in the Rails logs, every single time this request gets made, I see an extra unpermitted param show up in the form of user => { username: "dummy" }.

My authenticate controller method is a very simple one

def authenticate
  @user = User.find_by(username: user_params[:username])

  if @user&.authenticate(params[:password])
    token = JsonWebToken.encode(user_id: @user.id)
    render json: { token: token, user: @user }, status: :ok
  else
    render json: { error: 'Invalid username or password, please try again' }, status: :unauthorized
  end
end

def user_params
  params.permit(:username, :password, :email)
end

What exactly is happening here?

Answer 1

these are called wrapped parameters and inserted by rails on a controller level

https://api.rubyonrails.org/v6.0.0/classes/ActionController/ParamsWrapper.html

Wraps the parameters hash into a nested hash. This will allow clients to submit requests without having to specify any root elements.

You can turn it off by placing this wrap_parameters false in your controller or even customize it on controller level or on the app level inside the initializer config/initializers/wrap_parameters.rb