rails - “WARNING: Can't verify CSRF token authenticity” for json devise requests

前端 未结 10 2118
终归单人心
终归单人心 2020-11-27 10:11

How can I retrieve the CSRF token to pass with a JSON request?

I know that for security reasons Rails is checking the CSRF token on all the request types (including

相关标签:
10条回答
  • 2020-11-27 10:45

    I resolved that error this way:

    class ApplicationController < ActionController::Base
      protect_from_forgery
      skip_before_action :verify_authenticity_token, if: :json_request?
    
      protected
    
      def json_request?
        request.format.json?
      end
    end
    

    Source: http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html

    0 讨论(0)
  • 2020-11-27 10:47

    This answer is better.

    You get to keep the CSRF-TOKEN validation with no extra effort (the token is appended) before any XMLHttpRequest send. No JQuery, no nothing just copy/paste and refresh.

    Simply add this code.

    (function() {
        var send = XMLHttpRequest.prototype.send,
            token = $('meta[name=csrf-token]').attr('content');
        XMLHttpRequest.prototype.send = function(data) {
            this.setRequestHeader('X-CSRF-Token', token);
            return send.apply(this, arguments);
        };
    }());
    
    0 讨论(0)
  • 2020-11-27 10:48

    You can send the CSRF token, after a successful log-in, using a custom header.

    E.g, put this in your sessions#create :

    response.headers['X-CSRF-Token'] = form_authenticity_token
    

    Sample log-in response header providing the CSRF token:

    HTTP/1.1 200 OK
    Cache-Control: max-age=0, private, must-revalidate
    Connection: Keep-Alive
    Content-Length: 35
    Content-Type: application/json; charset=utf-8
    Date: Mon, 22 Oct 2012 11:39:04 GMT
    Etag: "9d719d3b9aabd413c3603e04e8a3933d"
    Server: WEBrick/1.3.1 (Ruby/1.9.3/2012-10-12)
    Set-Cookie: [cut for readability] 
    X-Csrf-Token: PbtMPfrszxH6QfRcWJCCyRo7BlxJUPU7HqC2uz2tKGw=
    X-Request-Id: 178746992d7aca928c876818fcdd4c96
    X-Runtime: 0.169792
    X-Ua-Compatible: IE=Edge
    

    This Token is valid until you log-in again or (log-out if you support this through your API). Your client can extract and store the token from the log-in response headers. Then, each POST/PUT/DELETE request must set the X-CSRF-Token header with the value received at the log-in time.

    Sample POST headers with the CSRF token:

    POST /api/report HTTP/1.1
    Accept: application/json
    Accept-Encoding: gzip, deflate, compress
    Content-Type: application/json; charset=utf-8
    Cookie: [cut for readability]
    Host: localhost:3000
    User-Agent: HTTPie/0.3.0
    X-CSRF-Token: PbtMPfrszxH6QfRcWJCCyRo7BlxJUPU7HqC2uz2tKGw=
    

    Documentation: form_authenticity_token

    0 讨论(0)
  • 2020-11-27 10:49

    I had the same issue with the following version of Rails:
    gem 'rails', :git => 'git://github.com/rails/rails.git', :branch => '3-2-stable'

    I updated to 3.2.2 and everything works fine for me now. :)
    gem 'rails', '3.2.2'

    0 讨论(0)
提交回复
热议问题