0

Now I use arduino sending data to rails in json format. But how to get authenticity_token and send it to rails? Where it should be written ? In json or http header? What the format should be?

If I add 

protect_from_forgery :exception => :create

In the controllers it works fine.But I do not want do disable the CSRF protection. This is my arduino code:

    client.println("POST /players.json HTTP/1.1");
    client.println("Host: 192.168.1.3:3000");
    client.println("User-Agent: Arduino/1.0");
    client.println("csrf-param: authenticity_token");
    client.println("csrf-token: V4gTh8yNdz9VMybUXkI6tHxzAHdfk3I+UoiXhxZWK0bkoh8iG5hVJ5sZOjzMAYLlwCwsXQQM102b1hF6TVyYJw==");
    client.println("Connection: close");
    client.println(lengthInfo);
    client.println("Content-Type: application/json");
    client.println();
    root.printTo(client);

root.printTo(client) just send son.

I found a similar question:

HTTP request to update rails model from arduino

@Okomikeruko Do you figure out how to send an authenticity token from Arduino?

Community
  • 1
  • 1
zix
  • 17
  • 4
  • 1
    Can you show the code of your Json API ? – CfourPiO Aug 21 '16 at 07:56
  • Please, add a description of the authentication strategy too – Bustikiller Aug 21 '16 at 08:21
  • @ Bustikiller I just use the rails CSRF protection.But I do not use a browser.My English is poor.http://stackoverflow.com/questions/941594/understanding-the-rails-authenticity-token this is what I use – zix Aug 21 '16 at 08:35
  • CSRF token is an extra security check for session-based authentication. Are you creating a session from the Arduino? – Bustikiller Aug 21 '16 at 08:43
  • I think i have not.And i don't know hot to do it And even I creat it.I think i also need to send the authenticity_token. Then how to send it? – zix Aug 21 '16 at 08:46

1 Answers1

1

The authenticity token is a security check for session-based authentication strategies. What it basically does is checking that the user that fills a webform is the same user that was logged in (and avoid XSS attacks).

However, in my opinion this authentication strategy is not the best options for public APIs. In your case I would do one of the following:

  • Session based authentication. The first API request should be a POST request to the users controller. If this request is successful, the response should return a session cookie that you can use to authenticate your following requests (until the session is over).

  • Token based authentication. You can create a unique random n-char string (maybe 80 chars?) which would be the secret api key for each user. After that, each API request should include this key as a parameter in order to say the controller "It's me".

Please note that the controllers you will use in your API queries are different from the ones you use in your web navigation. In my projects I usually have a folder "app/controllers/v1" to store the controllers used in the first version of my API

Bustikiller
  • 2,232
  • 1
  • 11
  • 28
  • That help me a lot. I can understand how to do it now. But I think I have a lot to learn to do it. – zix Aug 21 '16 at 09:11
  • I have a sample API with Token based authentication scheme. I have written the client side with eventmachine and arduino fimata where it receives data form the arduino and sends it to the API with the token. If you need help, tell me. :D – CfourPiO Aug 21 '16 at 10:11
  • @ tGeek That's great if you can help me. I use arduino a lot and learning rails just begin. I think ruby on rails is very interesting – zix Aug 21 '16 at 13:37