I'm building a Rails app that needs to receive POST'd emails from Mailgun. All OK, I have a controller and routes for that.
All requests receives HTTP 422 because Rails says Invalid Authenticity Token, which is really expected in this case.
I won't use rack-cors because I only allow Mailgun proceeding requests authenticating with its own signature mechanism.
Here my question: Should I use skip_before_action :verify_authenticity_token or should I use protect_from_forgery with: :null_session?
I ended up using protect_from_forgery with: :null_session as it won't contaminate any existing session.
Related
I'm running postman to send requests to my rails server. I am facing authenticity token issues when sending POST requests to create new objects. I need to be able to send all requests across the server and add the necessary authentications to a Postman environment.
If you're creating an API and want to accept requests from other domains you'll need to disable this security filter.
To do it add this to your controller :
skip_before_action :verify_authenticity_token, only: :your_post_action
You can disable it only for json requests, see this answer: https://stackoverflow.com/a/22715175/8352929
I am implementing web app using rails 4.2.0 and ruby 2.2.0 and facing problem that any time request in done new session is set. In that case I cannot save anything to session since it's gone. Also that leads to situation that authenticity token cannot be checked.
For testing purpose forgery protection is disabled in ApplicationController, so that's not reason why session is reset.
class ApplicationController < ActionController::Base
#protect_from_forgery with: :null_session
skip_before_action :verify_authenticity_token `
end
I am using active record store to save session, but same happens for cookie store:
MyApp::Application.config.session_store :active_record_store, :key => '_myapp_session', domain: :all, tld_length: 2
Every time request is done new entry to sessions table is inserted with new sessions_id and session cookie in browser points to new session.
Any ideas what could reset session?
This happens only in production environment. In development everything is fine.
Your issue is due to the call to skip_before_action :verify_authenticity_token; if the authenticity token is not verified, Rails will reset the session. You also want to re-enable protect_from_forgery.
I've also seen AJAX requests without an authenticity token to cause the session to reset, again more detail here: http://www.kalzumeus.com/2011/11/17/i-saw-an-extremely-subtle-bug-today-and-i-just-have-to-tell-someone/
Ref: https://stackoverflow.com/a/11943243/449342
In Rails, using devise, if a CSRF Check fails then the user's current session is cleared, i.e., logs the user out, because the server assumes it's an attack (which is the correct/desired behavior).
But the request, is completed, hence the user record is still created. Hacker can then log in correctly.
How can I stop the method from continuing once devise realises auth_token is incorrect?
Devise doesn't do any checking of the auth token - it's action controller which does this (although it does call handle_unverified_request on your controller so that you can customise behaviour). In rails 4 and higher you can also specify what happens by default when the auth token is invalid:
protect_from_forgery with: :exception
causes an exception to be raised, which would stop the request being processed.
However I am not sure what this buys you though - CSRF is so that an attacker cannot abuse the fact that the user is already logged into your application, but if the attacker has a valid set of credentials then they don't need to do CSRF in the first place.
A few users are getting a 422 ActionController::InvalidAuthenticityToken error when POSTing a form.
It happens to a minority of users some of the time. If they try their request again later, it often works.
The authenticity token is getting sent along in every case. I'm assuming the client isn't sending the session cookie along with the POST (that would explain why the server can't verify the token). Why would this be?
Finally, the form is submitted via javascript ($('#new_user')[0].submit()), would that somehow prevent the session cookie from being sent?
Disabling the verify_authenticity_token before_filter is unfortunately not an option.
We have run into this scenario with one of our apps. We store our sessions in memcached and if the session is evicted from the cache or the session expires any subsequent post/put/delete raised a 422. We got round this by implementing a before filter 'requires_login?' that checked the session and logout the user out if the session had expired. We then moved the method protect_from_forgery in the application controller to run after requires_login?
E.G
before_filter :requires_login?
protect_from_forgery
Hope this makes sense
I'm using Rails 3.2 with Doorkeeper gem for providing OAuth 2 API for 3rd party. I keep getting this warning when using my REST API from outside of the app:
WARNING: Can't verify CSRF token authenticity
The client app successfully authenticated via OAuth2. Why do I get this warning, and how to implement this csrf properly for the external API?
Remove protect_from_forgery from your ApplicationController (or remove it for calls to the API).
Turn off CSRF protection only for the controller that you want open ... this is safer than removing protect_from_forgery from the ApplicationController. In this case I'm using the create action as an example ... though you can modify to suit your needs.
class MessagesController < ApplicationController
protect_from_forgery with: :null_session, only: [:create]
# doorkeeper_for :create
end
Uncomment the doorkeeper line if you are authentication via doorkeeper.
The point is to open up only what needs to be opened up ...