发表新帖
发表新帖

rails - “WARNING: Can't verify CSRF token authenticity” for json devise requests

前端 未结
关注
10 2115
终归单人心
终归单人心 2020-11-27 10:11

How can I retrieve the CSRF token to pass with a JSON request?

I know that for security reasons Rails is checking the CSRF token on all the request types (including

相关标签:
10条回答
  • 误落风尘
    2020-11-27 10:45

    I resolved that error this way:

    class ApplicationController < ActionController::Base
  protect_from_forgery
  skip_before_action :verify_authenticity_token, if: :json_request?

  protected

  def json_request?
    request.format.json?
  end
end

    Source: http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html

    0 讨论(0)
  • 挽巷
    2020-11-27 10:47

    This answer is better.

    You get to keep the CSRF-TOKEN validation with no extra effort (the token is appended) before any XMLHttpRequest send. No JQuery, no nothing just copy/paste and refresh.

    Simply add this code.

    (function() {
    var send = XMLHttpRequest.prototype.send,
        token = $('meta[name=csrf-token]').attr('content');
    XMLHttpRequest.prototype.send = function(data) {
        this.setRequestHeader('X-CSRF-Token', token);
        return send.apply(this, arguments);
    };
}());
    0 讨论(0)
  • 离开以前
    2020-11-27 10:48

    You can send the CSRF token, after a successful log-in, using a custom header.

    E.g, put this in your sessions#create :

    response.headers['X-CSRF-Token'] = form_authenticity_token

    Sample log-in response header providing the CSRF token:

    HTTP/1.1 200 OK
Cache-Control: max-age=0, private, must-revalidate
Connection: Keep-Alive
Content-Length: 35
Content-Type: application/json; charset=utf-8
Date: Mon, 22 Oct 2012 11:39:04 GMT
Etag: "9d719d3b9aabd413c3603e04e8a3933d"
Server: WEBrick/1.3.1 (Ruby/1.9.3/2012-10-12)
Set-Cookie: [cut for readability] 
X-Csrf-Token: PbtMPfrszxH6QfRcWJCCyRo7BlxJUPU7HqC2uz2tKGw=
X-Request-Id: 178746992d7aca928c876818fcdd4c96
X-Runtime: 0.169792
X-Ua-Compatible: IE=Edge

    This Token is valid until you log-in again or (log-out if you support this through your API). Your client can extract and store the token from the log-in response headers. Then, each POST/PUT/DELETE request must set the X-CSRF-Token header with the value received at the log-in time.

    Sample POST headers with the CSRF token:

    POST /api/report HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate, compress
Content-Type: application/json; charset=utf-8
Cookie: [cut for readability]
Host: localhost:3000
User-Agent: HTTPie/0.3.0
X-CSRF-Token: PbtMPfrszxH6QfRcWJCCyRo7BlxJUPU7HqC2uz2tKGw=

    Documentation: form_authenticity_token

    0 讨论(0)
  • 终归单人心
    2020-11-27 10:49

    I had the same issue with the following version of Rails:
    gem 'rails', :git => 'git://github.com/rails/rails.git', :branch => '3-2-stable'

    I updated to 3.2.2 and everything works fine for me now. :)
    gem 'rails', '3.2.2'

    0 讨论(0)
 看不清?
提交回复
热议问题