1

I am completing the Ruby Rails tutorial for a blog and when I try and submit a new post I am getting a ActionController::InvalidAuthenticityToken error from the browser.

I am new to Ruby Rails (hence why I am doing the tutorial) and I have been back through the examples and have looked a various other answers etc and I cannot seem to find what the problem could be? I would like to understand the problem and how to fix it as part of learning.

This is what is shown in the extracted source : def handle_unverified_request raise ActionController::InvalidAuthenticityToken end end end

This is from the Server : Parameters: {"authenticity_token"=>"MijxdOhNKeov89oetl7Xa0KWpSZoeb3WAIuX0RECyIusjfjs/B5megtnH6JFOSG1G5K7g+csApABCn31UxdYGg==", "article"=>{"title"=>"po request" , "text"=>"I want to buy some cheese"}, "commit"=>"Save Article"} HTTP Origin header (https://3000-dot-4708054-dot-devshell.appspot.com) didn't match request.base_url (https://127.0.0.1:3000) Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms | Allocations: 499) ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

And this is the .erb for a new record:

<%= form_with scope: :article, url: articles_path, local: true do |form| 
%>

   <% end %>

<%= link_to 'Back', articles_path %>
<%= form_with scope: :article, url: articles_path, local: true do |form| 
%>
  <p>
    <%= form.label :title %><br>
    <%= form.text_field :title %>
  </p>

  <p>
    <%= form.label :text %><br>
    <%= form.text_area :text %>
  </p>

  <p>
    <%= form.submit %>
  </p>
<% end %>
Joseph Hall
  • 13
  • 7
  • Googling `ActionController::InvalidAuthenticityToken` gives this as the top result: https://stackoverflow.com/questions/3364492/actioncontrollerinvalidauthenticitytoken – Mark Nov 05 '19 at 12:26
  • Following that should fix your issue – Mark Nov 05 '19 at 12:26
  • Thanks Mark, I was a little unsure about the answer to this one as it suggests skipping the authentication and then being a vulnerability? I may have completely got the wrong end of the stick for this but I do not want to learn bad habits and would like to understand what is generating the token and why it is invalid? – Joseph Hall Nov 05 '19 at 13:02
  • That's fair - sorry I was probably a bit short in my comment - I'll write out a proper answer – Mark Nov 05 '19 at 13:15
  • Thanks Mark, Much appreciated :) – Joseph Hall Nov 05 '19 at 13:19

1 Answers1

0

The authenticity token is used by rails to ensure that requests come from the site rails is expecting. When it generates a form, it includes the verification token for this purpose. There's a much better explanation of the history / why it's used here:

Understanding the Rails Authenticity Token

If you want to keep the checks in, then the short answer is to include

<%= form_authenticity_token %>

In any views that generate forms. This will ensure the correct token is in the form, and prevent the error from occuring

Mark
  • 5,352
  • 4
  • 13
  • 35
  • Hi Mark, either I have placed the authenticity_token incorrectly or this has not fixed the problem. Upon further inspection I can see from the log that there is an IP match fail in the first part of the authentication here: HTTP Origin header (https://3000-dot-4708054-dot-devshell.appspot.com) didn't match request.base_url (https://127.0.0.1:3000) - could this be causing the issue because I am using google cloud shell so it it looking at an ip from the devshell.appspot rather than a traditional local ip like 127.0.0.1:3000? – Joseph Hall Nov 05 '19 at 17:31
  • I have found a lot of issues around this for people installing SSL etc and changing the format of the ip. I am going to try running this on my local machine later rather than cloud shell and see if I get the same problem. – Joseph Hall Nov 05 '19 at 17:45