Uploadify and rails 3 authenticity tokens

Question

Hi chaps, I'm trying to get a file upload progress bar working in a rails 3 app using uploadify (http://www.uploadify.com) and I'm stuck at authenticity tokens. My current uploadify config looks like

            <script type="text/javascript" charset="utf-8">
             $(document).ready(function() {
                   $("#zip_input").uploadify({
                    'uploader': '/flash/uploadify.swf',
                    'script': $("#upload").attr('action'),
                    'scriptData': { 'format': 'json', 'authenticity_token': encodeURIComponent('<%= form_authenticity_token if protect_against_forgery? %>') },
                    'fileDataName': "world[zip]",
                    //'scriptAccess': 'always', // Incomment this, if for some reason it doesn't work
                    'auto': true,
                    'fileDesc': 'Zip files only',
                    'fileExt': '*.zip',
                    'width': 120, 
                    'height': 24,
                    'cancelImg': '/images/cancel.png',
                    'onComplete': function(event, data) { $.getScript(location.href) }, // We assume that we can refresh the list by doing a js get on the current page
                   'displayData': 'speed'
                   });
                 });
            </script>

But I am getting this response from rails:

Started POST "/worlds" for 127.0.0.1 at 2010-04-22 12:39:44

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):


Rendered /opt/local/lib/ruby/gems/1.8/gems/actionpack-3.0.0.beta3/lib/action_dispatch/middleware/templates/rescues/_trace.erb (1.0ms)
Rendered /opt/local/lib/ruby/gems/1.8/gems/actionpack-3.0.0.beta3/lib/action_dispatch/middleware/templates/rescues/_request_and_response.erb (6.6ms)
Rendered /opt/local/lib/ruby/gems/1.8/gems/actionpack-3.0.0.beta3/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb within rescues/layout (12.2ms)

This appears to be because I'm not sending the authentication cookie along with the request. Does anyone know how I can get the values I should be sending there, and how I can make rails read it from HTTP POST rather than trying to find it as a cookie?

Answer 1

well, i figured how to go around that. Is there a form on the view where you want to upload the files. If u do just use jquery to get the value of the hidden authenticity token and pass it into the scriptData var.

var token = ($('input[name=authenticity_token]').val());

scriptData : {'authenticity_token':token}

Hope this works for you.

Answer 2

This seems to be a bug with rails 3.

https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/3913

This meant I had to change how I was skipping the authenticity token checking:

Changed from

protect_from_forgery :except => :upload

To

skip_before_filter :verify_authenticity_token, :only => :upload

Which seems to still work fine

Answer 3

Skipping authenticity token checking is not ideal as it opens up XSS attack vectors. Another way to make this work is described here: http://metautonomo.us/2010/07/09/uploadify-and-rails-3/

Note that you may need to double url encode things. In the example the rails 'u' is being used as well as encodeURLComponent(). Howoever, if you have a more fancy/rails3 type set up and source the session data/authenticity token from meta tags in the page header, you will need to call encodeURLComponent() twice.