tags:

views:

41

answers:

1
Q: 

How do i add the authenticity token?

I recently switched to Google closure for a new project. I am having trouble adding the authenticity token to the headers in a ajax call. How do i go about it?

My Ajax snippet (using goog.net.XhrIo class):

var initialHTMLContent = superField[i].getCleanContents();

var data = goog.Uri.QueryData.createFromMap(new goog.structs.Map({
  body: initialHTMLContent
 }));

 goog.net.XhrIo.send('/blogs/create', function(e) {
    var xhr = /** @type {goog.net.XhrIo} */ (e.target);
    alert(xhr.getResponseXml());
 }, 'POST', data.toString(), {
    'Accept' : 'text/xml'
            });

Using rails in the backend.

UPDATE:

Log:

Processing BlogsController#create (for 127.0.0.1 at 2010-06-29 20:18:46) [PUT]
  Parameters: {"authenticity_token"=>""}

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):


Rendered rescues/_trace (272.4ms)
Rendered rescues/_request_and_response (1.2ms)
Rendering rescues/layout (unprocessable_entity)
+2  A: 

Somewhere in a rails view (.html.erb file) you can set a js variable like this:

window._token = '<%= form_authenticity_token %>';

And then append it in your call:

 goog.net.XhrIo.send('/blogs/create?authenticity_token=' + window._token, function(e) {
    var xhr = /** @type {goog.net.XhrIo} */ (e.target);
    alert(xhr.getResponseXml());
 }, 'POST', data.toString(), {
    'Accept' : 'text/xml'
            });
neutrino  2010-06-29 13:44:10
I get a `#<Mongrel::HttpParserError: Invalid HTTP format, parsing fails.>`. Maybe its not taking the auth token into account? I have updated my question with the log.
Shripad K  2010-06-29 13:57:45
I've updated the answer accordingly. Seems you have this call in a plain javascript file. You need generate the token on the server, so you need to do this in a view.
neutrino  2010-06-29 14:21:40
I updated my question. Its not taking the auth token into account what so ever.
Shripad K  2010-06-29 14:52:51
OK taking your queue i got to this point: I had to pass the `<%= form_authenticity_token %>` as a variable from a method i created in the html.erb file to the goog.net.XhrIo instance method in my complied js. But the authenticity token is visible when i view the source code in the browser. Is that not potentially dangerous? I give you a upvote for having shown me the right direction. But i will accept your answer if your solution does not have me worrying about security. :)
Shripad K  2010-06-29 15:12:30
to calm your doubts, just observe the sources of any usual form generated by `form_for` helpers :) the main thing about authenticity token is that it's unique, there's nothing wrong with it being visible. refer to http://guides.rubyonrails.org/security.html, section 3.1
neutrino  2010-06-29 15:21:57
Thank you :) Will accept your answer. Thanks also for that link. I have not looked into the security aspects in the rails guides. Have a reason to look into now.
Shripad K  2010-06-29 15:30:22

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.