Background Details
I am using Devise for authentication to login to a Rails 5 application.
Whenever I bundle either the Audited or Paper Trail gem, when I attempt to #create a new session (via the sign in form - /users/sign_in), I receive the following error:
ActionController::InvalidAuthenticityToken
Environment Details
Ruby 2.3.1
Gems:
rails 5.0.2
devise => 4.2.1
paper_trail => 7.0.1
Steps to Reproduce:
Create Rails 5 application
Add Devise gem
Add Audited or Paper Trail gem
Attempt to login
As it turns out, Devise documentation is quite revealing with regard to this error:
For Rails 5, note that protect_from_forgery is no longer prepended to
the before_action chain, so if you have set authenticate_user before
protect_from_forgery, your request will result in "Can't verify CSRF
token authenticity." To resolve this, either change the order in which
you call them, or use protect_from_forgery prepend: true.
The fix was to change code in my application controller from this:
protect_from_forgery with: :exception
To this:
protect_from_forgery prepend: true
This issue did not manifest itself until I attempted adding Audited or Paper Trail gems.
This happened to me on my development machine. Turns out I was setting
Rails.application.config.session_store
for security purpose in production. And somehow in this code gets run on development mode. And I have to comment out this line and it works fine now.
Rails.application.config.session_store :cookie_store, key: '_my_session', secure: true, same_site: :strict
Another thing to try for anyone running into this is to add the following to your environment configuration file:
config.action_controller.forgery_protection_origin_check = false
For me, production was working correctly but staging and development were not and this fixed it for me.
In my project we have that problem and we can't to override protect_from_forgery.
The solution founded is indicate the github of audited and worked for me.
Put this in gemfile:
gem "audited", github: "collectiveidea/audited"
As mentioned in the documentation.
For Rails 5, note that protect_from_forgery is no longer prepended
to the before_action chain, so if you have set authenticate_user
before protect_from_forgery, your request will result in "Can't verify
CSRF token authenticity." To resolve this, either change the order in
which you call them, or use protect_from_forgery prepend: true.
I have used something like this and it works for me.
class WelcomeController < ::Base
protect_from_forgery with: :exception
before_action :authenticate_model!
end
The solution for me was to manually go to my browser's settings and delete the cache.
Related
I recently converted an existing Rails 6 application to an API-only application following this guide as well as some helpful information from here.
My frontend application uses session cookies to maintain authentication with the server (with a rack-cors setup) and all that works when I manually test it. Since I'm using a session cookie, I added CSRF protection with a cookie in my application controller like this:
class ApplicationController < ActionController::API
include ActionController::Cookies
include ActionController::RequestForgeryProtection
protect_from_forgery with: :exception
after_action :set_csrf_cookie
def set_csrf_cookie
cookies['X-CSRF-Token'] = form_authenticity_token
end
The problem I'm having is that my rspec tests are all failing with CSRF-related issues. Usually CSRF is disabled in the test environment in rails (as documented here), however I ran rails console -e test the following on both the API app and the old app and got a discrepancy:
Regular rails app:
Rails.application.config.action_controller.allow_forgery_protection
>> false
ApplicationController.allow_forgery_protection
>> false
API mode app:
Rails.application.config.action_controller.allow_forgery_protection
>> false
ApplicationController.allow_forgery_protection
>> true
Sure enough, when I disable CSRF protection completely, the tests start looking better.
Is there anyway to restore this behaviour in a Rails API app?
EDIT: I've also tried the above with a fresh rails app generated by rails new --api and I got the same behaviour.
I've seen no answers on SO so far that don't answer this without suggesting to just disable it (which I don't want to do).
Locally, everything works, but deployed to producton on Heroku I'm getting InvalidAuthenticityToken.
From everything I can see, everything is set up properly.
Fresh app on Rails 6.0.3.1 (so it's not migrated where the setting may be disabled by default)
RAILS_MASTER_KEY set in Heroku for session
session_store.rb set to Rails.application.config.session_store :cookie_store, key: '__app_session', expire_after: 1.year
csrf_meta_tags in my layout as well as csp_meta_tag
ajax not used, this is a plain form_with. I can see the CSRF tag in dev tools so I know it's in the HTML
I considered it maybe is because of this in ApplicationController:
before_action :authenticate
however it seems that prepend: true is no longer set within the application controller...
I tried overriding it anyway by just adding it (even though it's not there by default and it still doesnt work if I add this above the before_action line)
protect_from_forgery with: :exception, prepend: true
Edit I'll also say the fixed Sidekiq showing forbidden when trying to issue DELETE commands as well (kill job button)
Try adding config.force_ssl = true in your config/environments/production.rb and make sure your SSL is configured properly like you said switching to Full SSL instead of Flexible.
Rails 4.2, Ruby 2.2.0, Devise 3.5.7
I have an Admin model. In ideal case after sign in, it should be redirected to homepage. But in my case, it is signing in successfully, but while redirecting, somehow authentication fails, causing it to redirect to the sign in page again.
The controller which gets called is:
Class Admin::DashboardsController < ApplicationController
before_action :authenticate_admin!
before_filter :authorize
def show
end
end
In first view, I thought it is a problem with authorize method. But code never reaches it.
authenticate_admin! is a devise method. And I don't know if there is a point in debugging.
Surprisingly it works on local, but results in 401 Unauthorized after deploying.
Logs
I think the application is fine. It has to do something with your server configurations. Something might be missing.
As you said it is working locally, there might be something that you changed in your configurations for the server, that might be causing the problem. Check your config files, application.rb or any other subdomain files that you might be using.
I have been trying to sign in after signing out on my application using devise but I am having an issue with the cookies I think because I have to refresh my web page in order to sign in again. I tried using activerecord-session_store gem and I follow the steps to configure it. I mean, I installed the gem, I generated the recommended migration on the gem documentation and generated the table using rake db:migrate command, I also changes the session_store.rb file but I feel that I am missing something to make it work since I tried it and the same happens. Please help me if you feel I am missing something or if you have other solution for this problem. Many thanks in advance
You are probably getting a "Can't verify CSRF token authenticity" error. Can you check your server logs?
In your ApplicationController please add the following and check if you get an error.
protect_from_forgery with: :exception
I have created an ember-cli project (v 0.1.12) with ember.js (v 1.8.1) and Rails. Than I tried to install:
https://www.npmjs.com/package/ember-cli-simple-auth-token
but when I run the login POST the server responds to me with this error:
Can't verify CSRF token authenticity.
I notice that it sends only username and password, without token. What's going on here?
The short answer is that you can fix that issue in the development setting by disabling CSRF tokens all together. You wouldn't use that in production but you can at least disable it to confirm that the issue gets fixed. In the application_controller.rb file, remove: protect_from_forgery line. Also go to your session_store.rb file in initializers and set:
# Be sure to restart your server when you modify this file.
Rails.application.config.session_store :disabled
Once you get things working, you can re-add the protect_from_forgery line as so:
protect_from_forgery with: :null_session