0

in my rails blog app i get this error message when trying to submit the form for a new post:

ActionController::InvalidAuthenticityToken in PostsController#create ActionController::InvalidAuthenticityToken Extracted source (around line #211):

      def handle_unverified_request
        raise ActionController::InvalidAuthenticityToken
      end
    end
  end

this is my posts_controller.rb file:

class PostsController < ApplicationController
  def index
  end

  def new
  end

  def create
    @post=Post.new(post_params)
    @post.save

    redirect_to @post
  end

  def show
    @show=Post.find(params[:id])
  end

  private
    def post_params
      params.require(:post).permit(:title,:body)
    end
end

this is my form code:

<font color="#BD004B"><h1>New Post<br></h1></font>

<%=form_for :post, url: posts_path do |f|%>
  <p>
  <%=f.label :title%><br>
  <%=f.text_field :title%>
  </p>
  <p>
  <%=f.label :body%><br>
  <%=f.text_area :body%>
  </p>
  <p>
    <%=f.submit%>
  </p>
<%end%>
Jack Carter
  • 37
  • 8
  • Can you share code of your form ? – D1ceWard Jun 04 '18 at 10:58
  • It can be either a missing part of the view or a missing callback method in the controller that skips the authenticity action for post/put/delete requests. So please as @D1ceWard asked please share the view code and I would as to see the `application_controller.rb` code as well. – radoAngelov Jun 04 '18 at 11:29
  • @D1ceWard i have posted the form code – Jack Carter Jun 04 '18 at 11:39
  • @radoAngelov i have posted the form code – Jack Carter Jun 04 '18 at 11:39
  • That's not `form` it's a show page. post the contents of `posts/_form` – Deepak Mahakale Jun 04 '18 at 11:44
  • But you need a "Submit" form that creates a new Post. Shared view code doesn't bring value to the question :( – radoAngelov Jun 04 '18 at 11:49
  • @radoAngelov sorry i pasted the wrong file without thinking, added the form code now – Jack Carter Jun 04 '18 at 11:50
  • Check if you have `` in your main application layout. If this isn't in the main layout you will need it in any page that you want a CSRF token on like the POST form. – radoAngelov Jun 04 '18 at 11:53
  • i have that in my `application.html.erb` file – Jack Carter Jun 04 '18 at 11:57
  • Ok, try adding `skip_before_action :verify_authenticity_token` to your `application_controller.rb` file. – radoAngelov Jun 04 '18 at 11:59
  • Take a look at https://stackoverflow.com/questions/3364492/actioncontrollerinvalidauthenticitytoken?rq=1 – ldeld Jun 04 '18 at 12:07
  • @ldeld what section of the post? – Jack Carter Jun 04 '18 at 12:10
  • @radoAngelov that stopped the error but now i get another one: `undefined method 'title' for nil:NilClass` from my show file, the highlighted line is `` – Jack Carter Jun 04 '18 at 12:21
  • 1
    @radoAngelov `skip_before_action :verify_authenticity_token` skip the token verification which is an security issue and btw not a solution, we need more information like the whole content of new/_form, routing related to post and rails version because for now everything looks fines – D1ceWard Jun 04 '18 at 12:45
  • `undefined method 'title' for nil:NilClass` it's because your instance variable in your controller is called `@show` not `@post` – D1ceWard Jun 04 '18 at 12:49
  • @D1ceWard what other information do you need – Jack Carter Jun 04 '18 at 12:51
  • Just read above, whole content of new/_form, routing related to post and rails version – D1ceWard Jun 04 '18 at 12:52
  • `@D1ceWard` should i change `@show` to `@post` or `` to `` – Jack Carter Jun 04 '18 at 12:56
  • @radoAngelov `` are only used for `remote: true` ajax requests. Normally the meta tags are sent via a hidden input. Can you give an example of the params from running `tail -f log/development.log` – max Jun 04 '18 at 14:43
  • But I would consider if you really should try either creating a separate branch in git or spinning up a new rails app and running the scaffold generator to get a picture of what a rails crud controller should look like. `rails g scaffold post title body:text` – max Jun 04 '18 at 14:45

1 Answers1

2

As others pointed out, skipping verify_authenticity_token is not an option and opens big holes in your app's security.

The exception normally turns up in two cases: Your session has ran out, our the form is sent via ajax without the csrf_meta_tags.

The propper solution for the problem is to rescue the exception and reset the user's session like so:

rescue_from ActionController::InvalidAuthenticityToken do
  logger.info "Compromised session found."
  reset_session
  flash[:error] = "You're session has expired"
  redirect_to root_path # or new_user_session_path
end
Thomas R. Koll
  • 3,032
  • 1
  • 17
  • 26
  • i removed it from my `application_controller.rb` file and there is no difference to the functionality of my app so ill leave it out – Jack Carter Jun 04 '18 at 17:09