How to turn off rails protect_from_forgery filter only for json

主宰稳场 提交于 2019-12-01 18:00:49

问题


I have web site built with Rails3 and now I want to implement json API for mobile client access. However, sending json post request from the client because of the protect_from_forgery filter. Because the client will not retrieve any data from the server, there is no way that the client can receive auth_token so I would like to turn off the protect_from_forgery option only for json requests (I thought rails3 does this in default but apparently it does not).

I know similar topic is discussed at here but in that case, he receives auth_token before sending post request.

So my question is turning off the protect_from_forgery only for json is good way of doing this? If yes, how to do so? If no, what is the alternative?

FYI, I use following ajax request

$.ajax({
             type: 'POST',  
             url: "http://www.example.com/login.json",  
             data: { 'email': emailVal, 'password': passwordVal },  
             success: onSuccess,  
             error: onError,  
             dataType: "json"  
});

and I get ActionController::InvalidAuthenticityToken error.

By the way, following curl command works though...
curl -H "Content-Type: application/json" -c cookies.txt -d '{"email": emailVal, "password": passwordVal}' -X POST http://www.example.com/login.json -i


回答1:


Take a look at this post: http://zadasnotes.blogspot.com/2010/11/rails-3-forgery-csrf-protection-for.html [archive.org]

Update

The article has been removed since then, so I did a quick search and I found the original author of the article posting this question on SO.

Rails 3 AJAX request authenticity token ignored




回答2:


You can just skip the authenticity token check if its a json request

class ApplicationController < ActionController::Base
  skip_before_filter :verify_authenticity_token, if: :json_request?

  def json_request?
    request.format.json?
  end
end



回答3:


Instead of disabling the CSRF check you can pass the authenticity_token field in your forms, eg:

<%= hidden_field_tag :authenticity_token, form_authenticity_token %>

http://apidock.com/rails/v2.0.0/ActionController/RequestForgeryProtection/ClassMethods/protect_from_forgery




回答4:


Add the code below to your ./app/controllers/application_controller.rb:

protect_from_forgery unless: -> { request.format.json? }


来源:https://stackoverflow.com/questions/5717258/how-to-turn-off-rails-protect-from-forgery-filter-only-for-json

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!