There are a few things going on with ActionController::InvalidAuthenticityToken
, let's get in to it!
First of all, ActionController
is the class which all "controllers" in Ruby on Rails inherit from, and it comes with a lot of functionality built in, such as "checking whether an authenticity token is valid". Because Rails prefers convention over configuration and is highly opinionated, this behavior is the default, rather than having to import the functionality.
We get this error when the controller detects that we have not properly passed a CSRF (Cross Site Request Forgery) token in with a POST
, PUT
, PATCH
, or DELETE
request. These are the type of requests where we typically send new data to the server and need to verify that this is done legitimately on behalf of a user using the website.
Read more about CSRF and related vulnerabilities here...
CORS, XSS and CSRF with examples in 10 minutes
Aleksandar Maletic ・ Dec 23 '19
When we use a form_for
or related tag in Rails, we magically pass an authenticity_token
as a parameter along with the request. So if you try to submit a regular HTML form without manually adding a properly generated CSRF authenticity token as generated by the initial request you're going to get the the InvalidAuthenticityToken
error.
Sometimes we'll want to legitimately skip this behavior if we know we don't need to make this check. That can be done, with caution, like this...
skip_before_action :verify_authenticity_token
For a bit more information on some concepts outlined here, check out this post...
Understanding the basics of Ruby on Rails: HTTP, MVC, and Routes
TK ・ Dec 8 '18
Happy coding ❤️
Top comments (5)
The behavior I was getting was
ActionController::InvalidAuthenticityToken Error
for no good reason. Tried a bunch of different things in my application_controller, none worked consistently.What I found was with SR-enabled rails apps, you want to a) turn on caching in development and b) flush that cache if you are trying out different SR-enabled rails apps by toggling
rails dev:cache
a few times then doingrails s
.This especially works if you try running a second SR-enabled rails app, either one after another or both at the same time (on different rails instances, using rails s -p 3001).
This particular rat hole is easy to fall into and very, very hard to climb out of.
Interesting timing on this, as we're experiencing strange behaviour from StimulusReflex apps that don't have caching enabled in development. They are seeing "Invalid Authenticity Token" errors. Thing is, we can't really figure out why the caching mechanism would impact any of this.
github.com/hopsoft/chatter/issues/2
I thought I had misconfigured everything but I'm struggling with this issue too. I am using oauth as well as devise both seem to be struggling with maintaining any kind of persisting session making development much slower than it needs to be.
In case anyone gets these errors in their exception handling software (like e.g. Bugsnag): They are usually bots or crawlers trying to access parts of your app without properly sending the authenticity token with the request. In this case these exceptions can usually be ignored.
If you run into this while using Stimulus Reflex please bear in mind that if as instructed by Stimulus Reflex you set "config.cache_store = :redis_cache_store and you set config.session_store :cache_store, Redis server must be up otherwise you will get invalidAuthenticityToken error.