I'm running postman to send requests to my rails server. I am facing authenticity token issues when sending POST requests to create new objects. I need to be able to send all requests across the server and add the necessary authentications to a Postman environment.
If you're creating an API and want to accept requests from other domains you'll need to disable this security filter.
To do it add this to your controller :
skip_before_action :verify_authenticity_token, only: :your_post_action
You can disable it only for json requests, see this answer: https://stackoverflow.com/a/22715175/8352929
Related
Scenario : I am working on a rails application in which our user is redirected to a third party application during payment request. Once it is done, we get the response back from that application via HTTP POST method. We have a controller action to handle that request but there is a before_action devise gem method 'authenticate_user!' for checking if the user is logged in.
Issue : when the application is accessed over https, the before_action check fails and the user is logged out of the application (Completed 401 Unauthorized). In case of http, it is fine.
Rails version : 4.2.6
Devise version : 3.5.6
I have not worked on devise much. Please let me know if you have any insights on this.
look to the token authentication.
for example you can assign to before_action a method wich check if user it's authenticated by token and this token keep in params when you make first request to payemnt application.
This is one example, you can make other scenario using token.
I'm building a Rails app that needs to receive POST'd emails from Mailgun. All OK, I have a controller and routes for that.
All requests receives HTTP 422 because Rails says Invalid Authenticity Token, which is really expected in this case.
I won't use rack-cors because I only allow Mailgun proceeding requests authenticating with its own signature mechanism.
Here my question: Should I use skip_before_action :verify_authenticity_token or should I use protect_from_forgery with: :null_session?
I ended up using protect_from_forgery with: :null_session as it won't contaminate any existing session.
I want to add authorization to my project based on this tutorial. I've got the part of retrieving an access token working. But when using the token to access a protected resource API I get a 401 unauthorized error.
The request has an authorization header with scheme Bearer and containing the access token. Like in the tutorial the API is protected with the [Authorize] attribute. During startup I setup Bearer Authentication with
UseOAuthBearerAuthentication(new Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationOptions())
It is not clear to me why the request is unauthorized. What can I check to find the cause of this problem?
After trying and checking many things, I noticed the authorization server and the resource server were using a different version of Owin and Owin.Security. After updating the older one, it worked. The tokens must have changed between the 2 versions.
I am currently using Postman to test my REST API. I've built it using Ruby-On-Rails, and using devise_token_auth to manage users sessions. After a successful log in, my API is rendering a client, an access-token, a token-type(BEARER) and an Uid. These elements are needed for every request that requires the user to be logged in and have to be sent on the header.
Let's say I am creating an article using a POST. The first POST succeeds and creates the article but when I try to create another article, I get :
{
"errors": [
"Authorized users only."
]
}
I suspect either Postman is behaving as a different client after each request, or my API is creating an access-token for the user after each request.
I finally managed to fix the issue:
According to devise_token_auth gem documentation, the access-token changes each time the client queries the API. Thus, I had to update the access-token, on my headers, whenever I wanted to send a request to my API.
To prevent the access-token from being changed after each request, add the following line to confing/initializers/devise_token_auth.rb:
config.change_headers_on_each_request = false
I added an answer to this linked question that applies to this question also. Using Tests and Pre-Requests scripts you can have Postman automatically save and update the token after each request.
This lets you use Postman without having to set config.change_headers_on_each_request = false inside your Rails app.
A few users are getting a 422 ActionController::InvalidAuthenticityToken error when POSTing a form.
It happens to a minority of users some of the time. If they try their request again later, it often works.
The authenticity token is getting sent along in every case. I'm assuming the client isn't sending the session cookie along with the POST (that would explain why the server can't verify the token). Why would this be?
Finally, the form is submitted via javascript ($('#new_user')[0].submit()), would that somehow prevent the session cookie from being sent?
Disabling the verify_authenticity_token before_filter is unfortunately not an option.
We have run into this scenario with one of our apps. We store our sessions in memcached and if the session is evicted from the cache or the session expires any subsequent post/put/delete raised a 422. We got round this by implementing a before filter 'requires_login?' that checked the session and logout the user out if the session had expired. We then moved the method protect_from_forgery in the application controller to run after requires_login?
E.G
before_filter :requires_login?
protect_from_forgery
Hope this makes sense