Getting an ActionController::InvalidAuthenticityToken exception? (R: Take a look at CSRF answers!) #37
Comments
|
Hi @amalagaura, The token which is missing is not the authentication token, but the authenticity token - which is a security mecanism used to prevent cross-site request forgery (CSRF). The behavior you describe seems related to a change that Rails 4 introduced in the forms behavior and does not seem to involve Simple Authentication Token. Does this StackOverflow answer help you? I can be wrong, but I'm pretty sure that once you'll solve the authenticity token issue, your non-GET requests will go through and token authentication will just go fine. Please keep me updated : ) |
|
Thank you for your attention. It was unexpected but I did not figure out the authentication vs authenticity which you pointed out. I think this Stack Overflow answer is also relevant. When I change the It is out of the scope of this github issue, because I don't understand the full mechanics of CSRF protection. Thank you for your attention. You have done a nice job with this gem. |
|
Be welcome! As you did, I've been reading a bit more about CSRF and, as you pointed it, API do not seem to require CSRF protection. Thanks for your feedback! |
|
(I've edited the issue title to improve it's discoverability in the solved questions list.) |
I am having the strangest issue. I am only having successful authentications on GET's. I am passing the email and token via headers, not params:
X-User-EmailIt works on GET, but not on PUT or PATCH.When I run a debugger it goes to the
authenticate_entity_from_token!method only on GET. But on a PATH or PUT I get aActionController::InvalidAuthenticityTokenand it does not go to the
authenticate_entity_from_token!method.My routes are regular REST resources. It is a simple Rails 4 app with a single model just for testing.
The text was updated successfully, but these errors were encountered: