Ruby on Rails 3 InvalidAuthenticityToken With REST Calls

views:

125

answers:

Ruby on Rails 3 InvalidAuthenticityToken With REST Calls

Hey Everyone

I'm just putting together a simple web application in Ruby on Rails 3 RC and I'm a bit stumped with the forgery protection. I plan to have a web interface as well as allow XML API calls from an iPhone app. I'm currently testing this with a REST request generator but am getting InvalidAuthenticityToken errors.

Firstly, I thought these only applied to requests that weren't XML or JSON. Secondly, I'm attaching a user-unique API key with XML request so forgery protection can be achieved by other means (I know not entirely secure, but decent start for development).

Has anyone got any pointers for preventing this protection for XML/JSON requests for somehow overriding the default token checker to validate via my own API Token system before using the on-board system?

Cheers Dave Finster

Have you manually set the request type, as per this answer?

http://stackoverflow.com/questions/348976/turning-off-authenticity-token-in-rails-2-for-web-services

jasonpgignac 2010-08-08 13:34:14

Yes, except I used the application/xml obviously since I'm after the XML request. I'm just using a rudimentary Java REST request generator. The rails server console does show that the request is being processed as XML.

Dave Finster 2010-08-12 09:59:23

Yes, but there are three different pieces of the request that deal with format: there's the file extension (so if you're calling 1.xml), there's the 'accepts' header and there is the 'content-type' header. Sometimes (I know I've run into this on my own apps) the app will process an xml input just fine, even though the data has the wrong content-type header. I'd be interested to see the HTTP headers on this request? Sorry if I'm saying things you already know... :D

jasonpgignac 2010-08-12 12:32:47

ansaurus

tags:

views:

answers:

Ruby on Rails 3 InvalidAuthenticityToken With REST Calls

related questions