I am developing a simple site which lets admins create questions and users solve them. I use ActiveAdmin for the admin part and simple AJAX calls for the user solving part. Trying to login via ActiveAdmin::Devise was successful at first but login out was not possible. I erased all cookies and since then I am not able to make POST actions without a CSRF token authenticity exception. I have the correct meta_tags within the head of my application.html.erb, declared jquery_ujs (other threads say its a common issue) and in both POST actions the authenticity token exists. I tried even avoiding the verification via skip_before_filter :verify_authenticity_token but the ActiveAdmin Login and POST Example continue failing. The logs are below, you can see that the tokens exist. I also show the Gemfile in case that any of those break something with the CSRF.
- Rails Version [4.1.0]
- Ruby Version [2.1]
- Phusion Passenger Version [4.0.41]
Thanks in advance.
application.html.erb
<head>
<title>Introducción Matematicas</title>
<%= stylesheet_link_tag "application", media: "all"%>
<%= javascript_include_tag "application", "data-turbolinks-track" => true %>
<link href="http://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700|Roboto+Slab:300,400" rel="stylesheet" type="text/css">
<%= csrf_meta_tags %>
</head>
application.js
//= require jquery
//= require jquery_ujs
//= require_tree ../../../vendor/assets/javascripts/.
//= require_tree .
Aplication Controller
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :null_session
#skip_before_filter :verify_authenticity_token
before_filter :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) do |u|
u.permit :name,:college, :email, :password, :password_confirmation
end
end
end
Admin Login Log
INFO -- : Processing by ActiveAdmin::Devise::SessionsController#create as HTML
INFO -- : Parameters: {"utf8"=>"✓", "authenticity_token"=>"aRZK3470X6+FJPANEuHAiwVW4NZwMzCkXtoZ1qlhQ0o=", "admin_user"=>{"email"=>"omar@gmail.com", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Login"}
WARN -- : Can't verify CSRF token authenticity
INFO -- : Completed 401 Unauthorized in 110ms
INFO -- : Processing by ActiveAdmin::Devise::SessionsController#new as HTML
INFO -- : Parameters: {"utf8"=>"✓", "authenticity_token"=>"aRZK3470X6+FJPANEuHAiwVW4NZwMzCkXtoZ1qlhQ0o=", "admin_user"=>{"email"=>"omar@gmail.com", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Login"}
WARN -- : Can't verify CSRF token authenticity
INFO -- : Rendered vendor/cache/ruby/2.1.0/bundler/gems/active_admin-a460d8d2ab37/app/views/active_admin/devise/shared/_links.erb (2.0ms)
INFO -- : Rendered vendor/cache/ruby/2.1.0/bundler/gems/active_admin-a460d8d2ab37/app/views/active_admin/devise/sessions/new.html.erb within layouts/active_admin_logged_out (73.0ms)
INFO -- : Completed 200 OK in 302ms (Views: 80.2ms | ActiveRecord: 0.0ms)
Simple POST via AJAX Log
INFO -- : Processing by QuestionsController#check_question as JS
INFO -- : Parameters: {"utf8"=>"✓", "que_id"=>"44", "authenticity_token"=>"CjaAx+B36JPc1PUIhta0vIuOTKX4UhrFWlmYHAd+KWY=", "question"=>{"id"=>"169"}, "commit"=>"Verificar Respuesta", "id"=>"6"}
WARN -- : Can't verify CSRF token authenticity
INFO -- : Rendered answers/_answer.html.erb (1.2ms)
INFO -- : Rendered questions/check_question.js.erb (17.0ms)
INFO -- : Completed 200 OK in 94ms
Gemfile
source 'https://rubygems.org'
gem 'rails', '4.1.0'
#gem 'ckeditor'
gem 'mysql2', "0.3.15"
gem 'devise'
gem 'activeadmin', github: 'gregbell/active_admin'
gem 'sass-rails', '~> 4.0.0'
gem 'uglifier', '>= 1.3.0'
gem 'execjs'
gem 'therubyracer'
gem 'coffee-rails', '~> 4.0.0'
gem 'jquery-rails'
gem 'turbolinks'
gem 'jbuilder', '~> 1.2'
group :doc do
gem 'sdoc', require: false
end
gem 'minitest'
Best Answer
skip_before_filter :verify_authenticity_tokenWhoa, don't do this. That's a total hack, and if you leave that in your code accidentally you've just created a serious security problem.
So, why did you delete your cookies? If I read your question correctly it's because your logout function was broken? How about you find out why logout isn't working and fix that instead. Probably not a good idea to go and create another problem (bypassing CSRF authentication) instead of fixing the original problem.
In the meantime restart the local development server and start a new tab in your browser. See if that makes the CSRF stuff at least go away and then go back to the logout problem.