0

I'm running an app with Rails 5.2 in development mode on an nginx server. Everything works locally, but after I push it to my remote server and start the Rails server, I can't create, edit or delete records. I get a Rails error that says: "ActionController::InvalidAuthenticityToken"

Oddly this only happens when I'm using a Chrome browser. Everything works fine when in Firefox or Edge. These are the parameters that are sent with a delete request:

{"utf8"=>"✓",
 "authenticity_token"=>"blahblahblah",
 "service_line_item"=>{"title"=>"a", "body"=>""},
 "commit"=>"create",
 "service_id"=>"2",
 "service_type"=>"1"}

As you can see there is clearly an authenticity token. And when I compare it to the token that loads in the HTML, it matches. All my forms use the form_for helpers.

Here is the log from my server:

Started POST "/zoom/services/new-line-item?service_id=2&service_type=2" for 127.0.0.1 at 2019-01-25 22:55:42 +0000
Processing by ServicesController#new_line_item as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"blahblahblah", "service_line_item"=>{"title"=>"a", "body"=>""}, "commit"=>"create", "service_id"=>"2", "service_type"=>"1"}
HTTP Origin header (https://dev.mysite.com) didn't match request.base_url (http://localhost:3000)
Completed 422 Unprocessable Entity in 0ms (ActiveRecord: 0.0ms)

I've tried all the obvious things like reloading my server, deleting cookies and hard refreshing the page, but nothing works. Any help would be hugely appreciated.

Jordan Lagan
  • 152
  • 9
  • Hey, welcome to SO! You really shouldn't show that token to anyone (this question included) if it's something you're using in production. – Jake Jan 27 '19 at 02:22
  • Thanks @Jake, it's not being used in production yet, just for development. Why is it bad for people to see the token? I thought it would stop being valid after the session ends. – Jordan Lagan Jan 27 '19 at 03:16
  • Take a look at this question, maybe its the same issue https://stackoverflow.com/questions/47608336/rails-ssl-issue-https-example-com-didnt-match-request-base-url-http-exa – Yurii Verbytskyi Jan 27 '19 at 03:50
  • Thanks for your comment @Yuriy, but I don't think it's the same issue, that post doesn't even mention the error I'm getting. – Jordan Lagan Jan 27 '19 at 04:00
  • You are getting `HTTP Origin header (https://dev.mysite.com) didn't match request.base_url (http://localhost:3000)` – Yurii Verbytskyi Jan 27 '19 at 04:01
  • Oh, okay. I was thinking it was a key for some reason. It should be fine if it expires after each session then, sorry for the alarm! – Jake Jan 28 '19 at 11:50
  • @YuriyVerbitskiy yes, but even so the actual error message that comes up is ActionController::InvalidAuthenticityToken, and that question doesn't even mention that. Furthermore, in that example the error is ```(https://example.com) didn't match request.base_url (http://example.com)``` on the same domain of 'example.com' but mine goes from my dev sites url to localhost for some reason. If my problem was related to my SSL settings, then I wouldn't be able to create or edit records with any browser, but as it stands I can create and edit records with firefox and edge, only chrome has a problem. – Jordan Lagan Jan 28 '19 at 14:26

0 Answers0