Can't verify CSRF token authenticity
Opened this issue · 4 comments
sikandartariq1 commented
Getting ActionController::InvalidAuthenticityToken whenever an item is dragged to order.
Started POST "/admin/shares/163/sort" for ::1 at 2019-10-07 12:15:09 +0500
Processing by Admin::SharesController#sort as */*
Parameters: {"id"=>"163"}
Can't verify CSRF token authenticity.
Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms)
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
actionpack (5.2.2) lib/action_controller/metal/request_forgery_protection.rb:211:in `handle_unverified_request'
actionpack (5.2.2) lib/action_controller/metal/request_forgery_protection.rb:243:in `handle_unverified_request'
devise (4.6.1) lib/devise/controllers/helpers.rb:255:in `handle_unverified_request'
actionpack (5.2.2) lib/action_controller/metal/request_forgery_protection.rb:238:in `verify_authenticity_token'
activesupport (5.2.2) lib/active_support/callbacks.rb:426:in `block in make_lambda'
activesupport (5.2.2) lib/active_support/callbacks.rb:198:in `block (2 levels) in halting'
actionpack (5.2.2) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
activesupport (5.2.2) lib/active_support/callbacks.rb:199:in `block in halting'
activesupport (5.2.2) lib/active_support/callbacks.rb:513:in `block in invoke_before'
activesupport (5.2.2) lib/active_support/callbacks.rb:513:in `each'
activesupport (5.2.2) lib/active_support/callbacks.rb:513:in `invoke_before'
activesupport (5.2.2) lib/active_support/callbacks.rb:131:in `run_callbacks'
actionpack (5.2.2) lib/abstract_controller/callbacks.rb:41:in `process_action'
actionpack (5.2.2) lib/action_controller/metal/rescue.rb:22:in `process_action'
actionpack (5.2.2) lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
activesupport (5.2.2) lib/active_support/notifications.rb:168:in `block in instrument'
activesupport (5.2.2) lib/active_support/notifications/instrumenter.rb:23:in `instrument'
activesupport (5.2.2) lib/active_support/notifications.rb:168:in `instrument'
actionpack (5.2.2) lib/action_controller/metal/instrumentation.rb:32:in `process_action'
actionpack (5.2.2) lib/action_controller/metal/params_wrapper.rb:256:in `process_action'
activerecord (5.2.2) lib/active_record/railties/controller_runtime.rb:24:in `process_action'
actionpack (5.2.2) lib/abstract_controller/base.rb:134:in `process'
actionview (5.2.2) lib/action_view/rendering.rb:32:in `process'
actionpack (5.2.2) lib/action_controller/metal.rb:191:in `dispatch'
actionpack (5.2.2) lib/action_controller/metal.rb:252:in `dispatch'
actionpack (5.2.2) lib/action_dispatch/routing/route_set.rb:52:in `dispatch'
actionpack (5.2.2) lib/action_dispatch/routing/route_set.rb:34:in `serve'
actionpack (5.2.2) lib/action_dispatch/journey/router.rb:52:in `block in serve'
actionpack (5.2.2) lib/action_dispatch/journey/router.rb:35:in `each'
actionpack (5.2.2) lib/action_dispatch/journey/router.rb:35:in `serve'
actionpack (5.2.2) lib/action_dispatch/routing/route_set.rb:840:in `call'
warden (1.2.8) lib/warden/manager.rb:36:in `block in call'
warden (1.2.8) lib/warden/manager.rb:34:in `catch'
warden (1.2.8) lib/warden/manager.rb:34:in `call'
rack (2.0.6) lib/rack/tempfile_reaper.rb:15:in `call'
rack (2.0.6) lib/rack/etag.rb:25:in `call'
rack (2.0.6) lib/rack/conditional_get.rb:38:in `call'
rack (2.0.6) lib/rack/head.rb:12:in `call'
actionpack (5.2.2) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
rack (2.0.6) lib/rack/session/abstract/id.rb:232:in `context'
rack (2.0.6) lib/rack/session/abstract/id.rb:226:in `call'
actionpack (5.2.2) lib/action_dispatch/middleware/cookies.rb:670:in `call'
activerecord (5.2.2) lib/active_record/migration.rb:559:in `call'
actionpack (5.2.2) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
activesupport (5.2.2) lib/active_support/callbacks.rb:98:in `run_callbacks'
actionpack (5.2.2) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (5.2.2) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (5.2.2) lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'
web-console (3.7.0) lib/web_console/middleware.rb:135:in `call_app'
web-console (3.7.0) lib/web_console/middleware.rb:30:in `block in call'
web-console (3.7.0) lib/web_console/middleware.rb:20:in `catch'
web-console (3.7.0) lib/web_console/middleware.rb:20:in `call'
actionpack (5.2.2) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
railties (5.2.2) lib/rails/rack/logger.rb:38:in `call_app'
railties (5.2.2) lib/rails/rack/logger.rb:26:in `block in call'
activesupport (5.2.2) lib/active_support/tagged_logging.rb:71:in `block in tagged'
activesupport (5.2.2) lib/active_support/tagged_logging.rb:28:in `tagged'
activesupport (5.2.2) lib/active_support/tagged_logging.rb:71:in `tagged'
railties (5.2.2) lib/rails/rack/logger.rb:26:in `call'
sprockets-rails (3.2.1) lib/sprockets/rails/quiet_assets.rb:13:in `call'
actionpack (5.2.2) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
actionpack (5.2.2) lib/action_dispatch/middleware/request_id.rb:27:in `call'
rack (2.0.6) lib/rack/method_override.rb:22:in `call'
rack (2.0.6) lib/rack/runtime.rb:22:in `call'
activesupport (5.2.2) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
actionpack (5.2.2) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (5.2.2) lib/action_dispatch/middleware/static.rb:127:in `call'
rack (2.0.6) lib/rack/sendfile.rb:111:in `call'
railties (5.2.2) lib/rails/engine.rb:524:in `call'
puma (3.12.0) lib/puma/configuration.rb:225:in `call'
puma (3.12.0) lib/puma/server.rb:658:in `handle_request'
puma (3.12.0) lib/puma/server.rb:472:in `process_client'
puma (3.12.0) lib/puma/server.rb:332:in `block in run'
puma (3.12.0) lib/puma/thread_pool.rb:133:in `block in spawn_thread'
Rails 5.2.2
ruby 2.6.0p0
activeadmin_sortable_table 1.3.0
sikandartariq1 commented
#19 this PR is the solution.
bolshakov commented
@sikandartariq1 can you help me to reproduce the problem? I tried to monkey patch Active Admin::BaseController with protect_from_forgery but tests pass.
sikandartariq1 commented
using vendor/assets instead of app/assets for active-admin assets, other than that don't see any special configuration that may cause this issue. may I ask which rails version you're using?
bolshakov commented
I updated the test suite to test against latest rails and active admin versions #21
I rebased @Kristonitas branch #22 to pass the test and tried to break tests by passing invalid CSRF token https://github.com/bolshakov/activeadmin_sortable_table/pull/22/files#diff-446d0814a602530970c4685b7803428dR36 . The tests passed locally on Rails 6 / activeadmin 2.4.
I also used to use the gem with activeadmin before 1.0 without any issues with CSRF :)