ActionController::InvalidAuthenticityToken Error in controller

Question

So I've started getting this error after I tried to implement AJAX comments in my rails app:

ActionController::InvalidAuthenticityToken in CommentsController#create    

ActionController::InvalidAuthenticityToken

    def handle_unverified_request
      raise ActionController::InvalidAuthenticityToken
    end
  end
end

Here are all the codes from the relevant files:

comments_controller.rb

class CommentsController < ApplicationController


  before_action :find_post

  def create  
    @comment = @post.comments.build(comment_params)
    @comment.user_id = current_user.id

    if @comment.save
      respond_to do |format|
        format.html { redirect_to root_path }
        format.js
      end
    else
      flash[:alert] = "Check the comment form, something went horribly wrong."
      render root_path
    end
  end

Add comments form:

= form_for([post, post.comments.build], remote: true) do |f|
  = f.text_field :content, placeholder: 'Add a comment...', class: "comment_content", id: "comment_content_#{post.id}"

views/comments/create.js.erb

$('#comments_<%= @post.id %>').append("<%=j render 'comments/comment', post: @post, comment: @comment %>");
$('#comment_content_<%= @post.id %>').val('')

comment.rb

class Comment < ActiveRecord::Base
  belongs_to :user
  belongs_to :post
end

I have no idea what's causing this error as it worked fine before the introduction of AJAX. I looked up answers to similar problems on stackoverflow and added protect_from_forgery at the top of comments_controller.rb to no avail. I don't get the InvalidAuthenticityToken error alright, but instead, it gives me a different error:

NoMethodError in CommentsController#create

undefined method `id' for nil:NilClass

def create  
  @comment = @post.comments.build(comment_params)
  @comment.user_id = current_user.id #highlighted line

  if @comment.save
    respond_to do |format|

Answer 1

You have to send an authenticity token with your forms, it should be generated in your form_for, so I guess your ajax is just not sending it.

In case it's not automatically generated, you can do it manually: <%= hidden_field_tag :authenticity_token, form_authenticity_token %>

Answer 2

Unless config.action_view.embed_authenticity_token_in_remote_forms is set to true (the default is false), Rails won't generate the hidden input containing the csrf token if the form is a remote one.

This is because ajax powered forms have another mechanism for getting the token & this change means you can now fragment cache html containing this form because it no longer contains content that changes for every user.

This mechanism is adding the csrf tag to the page's meta tags, which the rails javascript can read and add to the ajax request. There is a helper, csrf_meta_tags that does this for you - just add a call to it in the <head> of the html you are rendering (this will usually be in your layout file).

Answer 3

Solution to my problem was to put on first line inside controller:

skip_before_action :verify_authenticity_token, :only => [:create,:inquire_enterprise]

As you can see I am escaping 2 actions which produced the error.