There are a few things going on with ActionController::InvalidAuthenticityToken
, let's get in to it!
First of all, ActionController
is the class which all "controllers" in Ruby on Rails inherit from, and it comes with a lot of functionality built in, such as "checking whether an authenticity token is valid". Because Rails prefers convention over configuration and is highly opinionated, this behavior is the default, rather than having to import the functionality.
We get this error when the controller detects that we have not properly passed a CSRF (Cross Site Request Forgery) token in with a POST
, PUT
, PATCH
, or DELETE
request. These are the type of requests where we typically send new data to the server and need to verify that this is done legitimately on behalf of a user using the website.
Read more about CSRF and related vulnerabilities here...
CORS, XSS and CSRF with examples in 10 minutes
Aleksandar Maletic ・ Dec 23 '19
When we use a form_for
or related tag in Rails, we magically pass an authenticity_token
as a parameter along with the request. So if you try to submit a regular HTML form without manually adding a properly generated CSRF authenticity token as generated by the initial request you're going to get the the InvalidAuthenticityToken
error.
Sometimes we'll want to legitimately skip this behavior if we know we don't need to make this check. That can be done, with caution, like this...
skip_before_action :verify_authenticity_token
For a bit more information on some concepts outlined here, check out this post...
Understanding the basics of Ruby on Rails: HTTP, MVC, and Routes
TK ・ Dec 8 '18
Happy coding ❤️