I have a rails app with a POST url which creates some resources.I have a page with a form which takes in all the information and does an AJAX call to the POST url without authenticity token.
Am doing data["authenticity_token"] = "";, before doing the AJAX call.
Parameters logged on serverside are like below
{"utf8"=>"✓", "authenticity_token"=>"", "company_customer"=>{"name"=>"Anand"}}
The resources are created without any error(I have protect_from_forgery with: :exception in my ApplicationController).
But when I tried to call the same POST url from Postman, I get InvalidAuthenticityToken error.
Why am I getting the error?
How does the rails app verify the authenticity of the POST request in first case?
In the first step i.e. from browser , you might be having some session id in the cookies but here not.
Also, if you were hitting by remote:true option, it will take the authenticity token from the page in the hidden field.
For more details , check your logs in both cases.
This token is automatically added in as hidden field when you are using form_for helper method to generate forms, so Rails makes sure the request comes from one of your forms.
You should unprotect your controller action when requested from postman or any other app, see how to here : https://stackoverflow.com/a/22715175/8352929
You can find how CSRF works from here. I recommend you go through it.
Whenever you use form_for Rails adds one hidden input field to your form which looks like the following:
<input type="hidden" name="authenticity_token" value="doLYVxrkhdrzn7zzriHXjFE6ZhNCuXVxLrau4ouENmuKKC/SWp2NMM/MeL/Ji2tDvzNcJHVN/Hc0LIluL3o5QQ==" />
Also, Rails include CSRF token in the meta tags of the website which looks like the following:
<meta name="csrf-token" content="zxnmBxg81JUQPG/C/wb3HRCah0m9Xe2A+gZ5N0Oy7cfwC+dF4hC325WxdVDLfkIxcw/CR/xyaC1phpvZ4EcgQw==" />
So, when you use Rails form_for or something similar to make AJAX call(may be with remote: true) the authenticity token is sent to the server. Which was not present when you tried to send the same request with Postman.
If you copy the CSRF token and add it to Postman params, the request will be completed successfully.
Related
I had the <%= csrf_meta_tags %> in my HEAD tag, but I created the form manually, so the authenticity_token hidden field was not getting inserted in my form.
So I added the authenticity_token manually:
<input name="authenticity_token" value="<%= form_authenticity_token %>" type="hidden">
When I send my website's default contact form (user is not logged in) the action that handles it should verify the token and allow/deny the request. But it is not: I use jQuery to empty the field and submit the form but not error or exception are thrown.
I got this line protect_from_forgery with: :exception in application_controller.rb and put the same in the foo_controller.rb that extends application_controller and has the action that responds to the contact form.
So what am I missing? What do I have to do to have this form verified in the backend?
Thanks a lot!
When the submitted auth token is missing or not matching the one in session, Rails does what protect_from_forgery with: specifies but the request handling is not terminated. What happens is session gets destroyed so request is handled as belonging to a non-logged in user.
Here is an excellent writeup discussing how protect_from_forgery works.
It's hard to tell without looking at the code but I'd say your form submission code either does not pickup the auth token input value or it becomes stale before the request is made. The latter can happen for in a number of scenarios such as page loaded from the browser cache or browser tabs used to login/logout in parallel with the page in question.
I'm sending an AJAX request from my rails site to itself (to go from javascript to a controller). Rails refuses to allow the POST unless I supply an authenticity token, so I added one using
<%= csrf_meta_tags %>
and
var AUTH_TOKEN = "<%=j form_authenticity_token %>"
and everything was fine. However, a new customer recently installed the plugin that accesses my site and triggers the AJAX in the first place. But for this one customer--the authenticity token was denied, despite being supplied (I checked in the logs.)
I realize I'm not giving a lot of clues to go off of, but what could cause the authenticity token to be accepted in one situation and denied in another? More broadly, how is the authenticity_token generated anyways--a new one every single time the page is loaded?
Rails assigns a cryptographically random CSRF token to the the user session.
The server compares the value submitted for the authenticity_token parameter to the value associated with the user’s session.
One thing you especially need to be careful with is that if you are using fragment caching (which speeds up rendering by caching chunks of the view) you need to ensure that your <%= csrf_meta_tags %> are not cached since a stale csrf meta tag will lead to mismatch with the token stored in the session.
When posting with ajax, you need to forward the CSRF token with the X-CSRF-Token header.
var promise = $.ajax({
url: '/example',
type: 'POST',
beforeSend: function(xhr) {
xhr.setRequestHeader('X-CSRF-Token',
$('meta[name="csrf-token"]').attr('content'))
},
data: 'someData=' + someData
});
As a general rule of thumb you aren't supposed to trust any input of data from users. If you had a simple link_to with a parameter:
link_to "Click me", test_path(:my_param => "test")
The route might look like: example.com/test?my_param=test
How do I know if the param, or any injected data for that matter, is being filtered properly? The Rails 3 API doesn't specify that it filters data that is passed to the controller, but I want to make sure that the params[:my_param] is filtered securely in the controller before I utilize the params data.
Any thoughts?
Rails framework doesn't secure things by default for GET request. link_to tag is sending a http get request.
If it is a POST/PUT/DELETE request then the Rails uses protect_from_forgery for verify the data sending url
However in your case, its not hard to write a simple method to verify your data for get requests ,
you could write a before_filter to check the sending parameters for a GET request
HTH
I have a single page app that authenticates to another domain using CORS. All the requests are JSON requests.
My app can authenticates OK and can make GET requests OK. Authentication is using token_authenticatable. I.e. all requests append '?auth_token=whatever'
So, my actual problem is that when I try to do a PUT request I get a WARNING: Can't verify CSRF token authenticity message in the rails log as well as a CanCan::AccessDenied (You are not authorized to access this page.) exception.
Simply adding skip_before_filter :verify_authenticity_token to the rails controller fixes the issue.
Therefore I can only conclude that my ajax requests are sending an invalid or empty csrf_token.
I don't really understand how that can be, since I believe I am correctly sending the X-CSRF-Token header correctly with each ajax request.
Basically, my app authenticates and Devise sends back an auth_token and a csrf_token:
render :status => 200, :json => {
:auth_token => #user.authentication_token,
:csrf_token => form_authenticity_token
}
I then store those tokens in my ajax app, and using ajaxSend in jQuery, set it up so jQuery passes those tokens with each request:
initialize: ->
#bindTo $(document), 'ajaxSend', #appendTokensToRequest
appendTokensToRequest: (event, jqXHR, options) ->
if not #authToken? then return
if #csrfToken?
jqXHR.setRequestHeader 'X-CSRF-Token', #csrfToken
if options.type is 'POST'
options.data = options.data + (if options.data.match(/\=/) then '&' else '') +
$.param auth_token:#authToken
else
options.url = options.url + (if options.url.match(/\?/) then '&' else '?') +
$.param auth_token:#authToken
I can then see in the chrome network tab, that for each GET request the auth_token param is being sent, as well as the X-CSRF-Token header.
On PUT requests however it doesn't seem to be working though.
My theory is that CORS is stuffing things up. If you make a CORS request, your browser actually makes an additional OPTIONS request first just to check that you do have permission to access this resource.
I suspect that it is the OPTIONS request which is not passing the X-CSRF-Token header, thus rails immediately invalidates the csrf_token on the rails end. Then when jQuery makes the actual PUT request the csrf_token it passes is no longer valid.
Could this be the problem?
What can I do to prove that? Chrome doesn't seem to show me the OPTIONS requests in the network tab to help me debug the issue.
It's not a major issue, because I can just turn the CSRF stuff off. But I'd like to know why it's not working.
I think you'll need to handle the OPTIONS request, which should respond with the various headers that will allow the CORS request, IIRC they are the access-control-allow-method, access-control-allow-origin and access-control-allow-headers. Because the OPTIONS request is failing, the PUT request probably isn't occurring.
I just ran into the same issue. The problem is that the _session_id cookie cannot be sent in CORS. As a result, when Rails tries to verify the token, the session[:_csrf_token] is null and Rails generates a new one before comparison.
To solve the issue, you need to enable cookie sending in CORS. Here is the Mozilla Developer Network reference. Work is needed on both the server and client side to make it work.
Client
- Refer to your client technologies document.
Server
- Set the header Access-Control-Allow-Credentials to true (string) in the response to the preflight (HTTP OPTIONS) call.
In Rails every form submission need CSRF token authenticity.
It use to submit form securely.
The CSRF token(each time) will create newly in rails when we open our Application.
If the CSRF token not passing inside our controller this WARNING will show.
We need to pass this token in all form submissions.
InvalidAuthenticityToken from rails for POST request
Hi All
I have a rails server running to which I make a POST request.
The dataset is defined as
Now per rails documentation in order to make a POST a request I need to set the add "authenticity_token" to the query string. So if for example the authenticity_token is "xxxxxxx", the final url should look like http://mywebsite.com/doSomething?aut..._token=xxxxxxx
I get the authenticity token from the server in the flashvars.
I have a user defined canvas attribute called auth_token which I use to store the authenticity token.
Below is the openlaszlo code I use to make the request.
var d = canvas.datasets.ds;
var content = get_my_content();
d.setQueryParam('lzpostbody',content);
d.setQueryString({authenticity_token : encodeURIcomponent(canvas.auth_token) });
d.doRequest
In this code the setQueryString call seem to clear out the query params. If I change the order of the setQueryString and setQueryParam calls the opposite happens.
The question is. Is there a way to set the query string without changeing/deleting the query params.
Thanks very much
Puneet
I don't know anything about OpenLaszlo, but my guess is that setQueryParam adds or modifies one param, whereas setQueryString overwrites the whole query string with the contents of the object.
Shouldn't you want to just add the authenticity token?
d.setQueryParam('lzpostbody', content);
d.setQueryParam('authenticity_token', encodeURIcomponent(canvas.auth_token));