I'm trying to make a Chrome extension for my Rails App that sends POST data with an ajax form. But, I get the response from the server:
ActionController::InvalidAuthenticityToken in AppController#getpostdata.
So I think I need to get an authenticity token and include that in my form.
Or, should I turn it off? And how?
Thanks
You can retrieve the token using the form_authenticity_token helper in a Rails view, during a GET request..
Alternately you can disable the token, or alternately use the :null_session option as this is considered the best for APIs. Consult the documentation for further info.
You can also skip the particular api method call in the controller as given below:
skip_before_filter :verify_authenticity_token, :only =>[:method_name]
Related
I have a WordPress page that I built before I learned Rails. On the page there is a form. I want to send the form data to a Rails route. But i get an invalid authenticity token error. How do I satisfy rails with an authenticity token since I understand that they are created by the Rails app itself and therefore would never exist outside of Rails?
Since this sounds like a separate app that you want to use to post data to a rails endpoint, you probably don't care about CSRF issues for the controller action that handles this. You could disable the authenticity token verification for your controller action with:
# inside your controller class
skip_before_action :verify_authenticity_token, only: [:your_wordpress_action]
I want to make a small API in Rails, so that when it gets a POST request the data sent is stored in database, when it gets a GET request it returns the data...so on. The problem that I'm facing is the authenticity_token. When I try to make a POST request I get Can't verify CSRF token authenticity. I don't want to disable the authenticity_token because I would like to use it as a key for being able to use the API. Is it possible to make it static? If not what is the proper way to create a private REST API in Rails.
You can add at the top of the controller hit by the API call : skip_before_filter :verify_authenticity_token
I have a Rails 3 app and I am using Warden for authentication.
It works fine but when I try to use AJAX(POST) access one of the controller the application log out my account and ask me to log in again.
This is because of the rails CSRF token validation. There are a few different ways to deal with this:
Hacky, dirty shortcut - just make the AJAX call use HTTP GET instead of POST. GET will not look for CSRF token by default
Another dirty shortcut - turn off CSRF validation for this particular action in your controller
protect_from_forgery :except => :create
Properly implement CSRF token with AJAX calls, there are many guides out there, for example this one or this one
I am currently working on an avatar app powered by Rails where users can upload avatars for their user profile.
I would like to use a custom HTTP header to block public upload requests and only allow requests from my apps. How would I go about doing this with Ruby on Rails?
I am uploading the avatars using AJAX so this may be a bit harder. Also I would prefer not to show the header in the public HTML code otherwise it defeats the object of adding it!
If you add
protect_from_forgery
to your application controller, it will block all NON Get requests from 3rd party links. It will add a hidden input value to each form with an authentication token that will be used to check all data that is sent to the servers.
Further reading
http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf
http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html
Rails 3.1 - CSRF ignored?
You could implement a custom HTTP header (say X-Foobar-Validity-Status: valid) and check it in a before_filter.
class YourController < ApplicationController
before_filter :check_header
def check_header
unless request.headers['X-Foobar-Validity-Status'] == "valid"
render json: {"error" => "You are an evil attacker. Go away"}
end
end
end
However, I would consider this a bad idea.
Attackers can read the packet dump of your HTTP requests and add the headers, even with jQuery. See the jQuery.ajax headers option.
Instead of using a proprietary header, I would use User-Agent for this purpose.
Instead, I would sugest using the protect_from_forgery mechanism of rails. It makes your life easier and is more secure. Just fetch the authenticy token by a http request in your app and then send it back with your request. This should keep intruders out.
How can I allow a specific server/url to send for example a post request if I have activated protect_from_forgery in a Ruby on Rails application?
Usually it is a desired behaviour that a Rails application blocks requests from other servers and so I also want to keep this functionality and I do not want to switch protect_from_forgery off. But I want to send a post request from an external application to my Rails application and so I would like to allow this specific application to send post requests. So I would need to either create an authenticity token that my application accepts in the remote application or I would need to add an exception for that specific remote server/url.
Is that possible and if yes - how?
skip_before_filter :verify_authenticity_token, :only => :action_name
and then have some other verification (HMAC, whatever) that you check in your application.