Using Rails 5.2.0.beta2, getting Can't verify CSRF token authenticity.
Closed this issue · 7 comments
I believe there's a Rails 5 change which is stopping the webhook from being processed by StripeEvent::WebhookController#event due to protect_from_forgery. https://github.com/plataformatec/devise#controller-filters-and-helpers
I needed to bring the whole StripeEvent::WebhookController into my application in order to stick skip_before_action :verify_authenticity_token in there.
Can anyone else verify this issue?
🤔Not sure I'm fully understanding the issue yet, but I'll try...
Where is your protect_from_forgery currently set? It should only be set on your custom ApplicationController. It sounds like you might be adding it directly to ActionController::Base, which would be a mistake.
The StripeEvent::WebhookController inherits from ActionController::Base, not ApplicationController, so if pretect_from_forgery is in the correct place, there shouldn't be any issues.
If I'm way off base here, I'm going to need more information. What exact error are you experiencing? Why did you think you needed to move the StripeEvent::WebhookController into your application to fix things? Are you saying that something that worked in Rails 5.1 now no longer works Rails 5.2?
protect_from_forgery with: :exception is in my ApplicationController. I'm not overriding ActionController::Base.
I setup my local application to receive Stripe's test webhooks and was getting the error Can't verify CSRF token authenticity. I don't believe I fully tested this when I was on 5.1, but in 5.2.0.beta2, it appears that CSRF verification is happening at the ActionController::Base level.
My app is here: https://github.com/archonic/limestone.
Reading the Rails 5.2.0.beta1 CHANGELOG:
Protect from forgery by default
Rather than protecting from forgery in the generated ApplicationController, add it to
ActionController::Basedepending onconfig.action_controller.default_protect_from_forgery. This configuration defaults tofalseto support older versions which have removed it from theirApplicationController, but is set totruefor Rails 5.2.
# config/initializers/new_framework_defaults_5_2.rb
Rails.application.config.action_controller.default_protect_from_forgery = trueI guess engines (like stripe_event) are going to have to sniff for Rails.application.config.action_controller.default_protect_from_forgery, and if true, only add skip_before_action :verify_authenticity_token.
We need a Rails 5.2 variation added to the build matrix anyway. I'll see if I can get stripe_event ready for Rails 5.2 tomorrow.
If anyone can think of a better approach, please do chime in.
That accommodates default_protect_from_forgery preferences and makes a minimal change to get things working. Sounds good to me!
@archonic Changes made.If you could please test your application against the master branch, that would be really helpful.
gem "stripe_event", github: "integrallis/stripe_event"Once I get confirmation, I'm happy to release a new official version out to rubygems.