10

I would like to do a new user signup via JSON but I get an invalid authenticity token error.

I would like to not turn the forgery check for all controller. Any suggestions on how to override the registrationcontroller to do this?

Here is my code: 

class Api::MobileRegistrationsController  < Devise::RegistrationsController 
  skip_before_filter :verify_authenticity_token
  respond_to :json
  def create
    super
  end
end

Routes:

Whitney::Application.routes.draw do
  resources :apps
  devise_for :users
  namespace :api do
    resources :tokens, :only => [:create, :destroy]
    resources :MobileRegistrations, :only => [:create] 
  end

I get an error:

Routing Error
uninitialized constant Api::MobileRegistrationsController
the Tin Man
  • 150,910
  • 39
  • 198
  • 279
user1174995
  • 153
  • 3
  • 9

3 Answers3

4

I can't encourage you in this way, because your app will be vulnerable to CSRF attacks.

A good resource to understand CSRF : Understanding the Rails Authenticity Token

You should rather include the authenticity_token in your POST request. This is discussed in some questions on SO, like there (read all the answers) : rails - InvalidAuthenticityToken for json/xml requests

The idea :

  1. Retrieve the token with <%= form_authenticity_token %>

  2. Add a authenticity_token POST param to your request with the token.

If you pass the param by URI, don't forget to encoded the token value : 

url += "&authenticity_token=" + encodeURIComponent( <%= form_authenticity_token %> );
Community
  • 1
  • 1
Thomas Guillory
  • 5,559
  • 3
  • 22
  • 47
0

For your error

Routing Error uninitialized constant Api::MobileRegistrationsController

it indicates your controller is not in the correct folder. Because you are using

  namespace :api do
    resources :tokens, :only => [:create, :destroy]
    resources :MobileRegistrations, :only => [:create] 
  end

You need to put your MobileRegistrations into controllers/api folder. or you can use

scope "/api" do
  resources :MobileRegistrations, :only => [:create] 
end
Zitao Xiong
  • 898
  • 1
  • 9
  • 18
0

You could buil your own controller that does not derive from a devise controller. 

def UserSignupApiController < ApplicationController
  skip_before_filter :authenticate_user!
  respond_to :json
  def create
    @user = User.create(params[user])
    respond_with(@user)
  end
end

I think you get the idea. You just instantiate your User just like you would do in Rails console. I do not recommend this kind of practice though

rpechayr
  • 1,272
  • 11
  • 27