ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken) about blazer HOT 13 CLOSED

@duboff did you manage to get this to work? I tried everything from monkey patching to forking and removing the protect_from_forgery directive as well as inheriting from ActionController::Base. I always ended up with the following error:

{"status":500,"error":"Internal Server Error","exception":"#\u003cActionView::Template::Error: undefined local variable or method new_query_path' for #\u003c#\u003cClass:0x007fb3f86eb2d0\u003e:0x007fb3f6e95a00\u003e\u003e","traces":{"Application Trace":[{"id":88,"trace":"appsignal (2.1.0) lib/appsignal/rack/rails_instrumentation.rb:16:in call'"}]

Really hope someone has gotten Blazer to work with rails-api!

from blazer.

It probably makes sense to keep the application default, in which case you'd want to exclude verify_authenticity_token from the skip_filter list.

from blazer.

@ankane - Any hesitation accepting this PR? Would rather not be using a fork :)

from blazer.

Yeah, my previous comment was never addressed. Thinking about it again, I'm not sure it makes sense. What CSRF protection method would you use instead?

from blazer.

@ankane I am sorry for not following up on this but I did not quite understand what you meant in the previous comment. Would be very keen to reopen discussions. I would think Blazer should just respect the application default.

@gen0cide you don't necessarily need a fork. We just have a Blazer::BaseController with:

protect_from_forgery with: :null_session

from blazer.

Hey @duboff, no worries. How are you doing authentication?

from blazer.

We use Clearance gem for the admin pages which Blazer is a part of.

from blazer.

I'll follow up over email since this involves security.

from blazer.

We do have it working, however, @ankane has personally emailed me saying our solution is not great security-wise. I don't have any other one though. My solution is to have a controller app/controllers/blazer/base_controller.rb with the following:

module Blazer
  class BaseController < ApplicationController
    # skip all filters
    filters = _process_action_callbacks.map(&:filter)
    if Rails::VERSION::MAJOR >= 5
      skip_before_action(*filters, raise: false)
      skip_after_action(*filters, raise: false)
      skip_around_action(*filters, raise: false)
    else
      skip_action_callback *filters
    end

    protect_from_forgery with: :null_session # this is the hack

   [ ... ] # remainder of the controller copied from Github

The only other solution is to switch off api_only mode I believe.

from blazer.

@duboff Thanks for your fast reply, good to hear that you have it working.

I am using with Blazer 1.7.9 and added the controller override in /app/controllers/blazer/base_controller.rb.

Even when using null_session the controller depends on ActionController::RequestForgeryProtection. Since this module is not included in the ActionController::API base class the following error is thrown:

ActionController::RoutingError: undefined method protect_from_forgery

.. so I included ActionController::RequestForgeryProtection in the Blazer::BaseController. Which yields:

ActionController::RoutingError: undefined method `layout'

At this point I believe the only option is to have the Blazer::BaseController inherit from ActionController::Base instead of ApplicationController which has ActionController::API as super. But this yields the following error again:

ActionView::Template::Error: undefined local variable or method `new_query_path'

Currently I don't think turning of api_only is a solution. Maybe it should be possible to specify the engine's parent_controller like Devise or rails_admin? But in this case, the protect_from_forgery line should be removed anyways.

from blazer.

Hmm, it's definitely working for us.

Probably a better solution is to separate blazer into a whole new app?

from blazer.

Great suggestion, why didn't I think of that 🤔

from blazer.

Cleaning up issues

from blazer.