ActionController::InvalidAuthenticityToken Rails 5 / Devise / Audited / PaperTrail gem

Asked 11/4, 2017 at 21:0 Answered 25/10, 2021 at 22:43

Solved ruby-on-rails ruby devise acts-as-audited

Background Details

I am using Devise for authentication to login to a Rails 5 application.

Whenever I bundle either the Audited or Paper Trail gem, when I attempt to #create a new session (via the sign in form - /users/sign_in), I receive the following error:

ActionController::InvalidAuthenticityToken

Environment Details

Ruby 2.3.1

Gems:

rails 5.0.2
devise => 4.2.1
paper_trail => 7.0.1

Steps to Reproduce:

Create Rails 5 application
Add Devise gem
Add Audited or Paper Trail gem
Attempt to login

Encase answered 11/4, 2017 at 21:0 Comment(2)

Do you have protect_from_forgery with: :exception in application_controller? – Celebrated 11/4, 2017 at 21:2

@Celebrated - Bingo. That was the cause of the error. I changed it to this: protect_from_forgery prepend: true And then things were happy. Thanks for the help. – Encase 11/4, 2017 at 21:6

As it turns out, Devise documentation is quite revealing with regard to this error:

For Rails 5, note that protect_from_forgery is no longer prepended to the before_action chain, so if you have set authenticate_user before protect_from_forgery, your request will result in "Can't verify CSRF token authenticity." To resolve this, either change the order in which you call them, or use protect_from_forgery prepend: true.

The fix was to change code in my application controller from this:

 protect_from_forgery with: :exception

To this:

 protect_from_forgery prepend: true

This issue did not manifest itself until I attempted adding Audited or Paper Trail gems.

Encase answered 11/4, 2017 at 21:3 Comment(4)

Worked for me, strangely enough, if you were still logged in, the problem doesn't appear, so it seemed intermittent. – Tabbitha 5/5, 2017 at 14:41

@JohnLinux - I experienced the same thing. I don't think it is intermittent though. I think that Devise is sending you through a different call stack when you are logged in. – Encase 30/5, 2017 at 16:48

This was causing me a lot of confusion and frustration. Multiple other posts mention 'moving' it, but non specific the prepend. Thanks. – Pragmatic 18/7, 2017 at 2:52

The proposed change is actually changing more. You probably want protect_from_forgery with: :exception, prepend: true, but you end up with protect_from_forgery with: :null_session, prepend: true as :null_session is the default value of with: – Aimless 21/9, 2018 at 14:56

This happened to me on my development machine. Turns out I was setting

Rails.application.config.session_store

for security purpose in production. And somehow in this code gets run on development mode. And I have to comment out this line and it works fine now.

Rails.application.config.session_store :cookie_store, key: '_my_session', secure: true, same_site: :strict

Humerus answered 15/5, 2020 at 8:5 Comment(0)

Another thing to try for anyone running into this is to add the following to your environment configuration file:

config.action_controller.forgery_protection_origin_check = false

For me, production was working correctly but staging and development were not and this fixed it for me.

Leveille answered 25/10, 2021 at 22:43 Comment(0)

In my project we have that problem and we can't to override protect_from_forgery. The solution founded is indicate the github of audited and worked for me.

Put this in gemfile:

gem "audited", github: "collectiveidea/audited"

Dairymaid answered 29/5, 2017 at 19:11 Comment(4)

This doesn't seems to be an answer to the OP question? – Retrogress 29/5, 2017 at 19:34

@LethalProgrammer, sorry I don't understand the OP question. My answer is to work without edit protect_from_forgery, because my project using a before_action callback to validate something before session create in devise. Sorry if is not clear in my answer. – Dairymaid 29/5, 2017 at 19:47

@Dairymaid - are you suggesting that you can use protect_from_forgery with: :exception in your application controller if you use the github branch that you posted? – Encase 30/5, 2017 at 16:46

@Encase Yes. I dont need to change to protect_from_forgery prepend: true if you put the branch in gem file. I`m using rails 5.0.1, try that if you using rails 5+ – Dairymaid 31/5, 2017 at 1:15

As mentioned in the documentation.

For Rails 5, note that protect_from_forgery is no longer prepended to the before_action chain, so if you have set authenticate_user before protect_from_forgery, your request will result in "Can't verify CSRF token authenticity." To resolve this, either change the order in which you call them, or use protect_from_forgery prepend: true.

I have used something like this and it works for me.

class WelcomeController < ::Base
    protect_from_forgery with: :exception
    before_action :authenticate_model!
end

Emlen answered 17/9, 2017 at 19:29 Comment(0)

The solution for me was to manually go to my browser's settings and delete the cache.

Digamma answered 29/7, 2019 at 21:55 Comment(0)

Recommended topics

Hot tags