Rails 5 ActionController::InvalidAuthenticityToken error

Question

I have a rails application which I am planning to upgrade to rails 5. I am using devise(v4.2.0) along with rails(v5.0.0). As suggested in devise README.md file, I tried moving the protect_from_forgery above the before_filter but still when I am trying to login or update my bug I get an error ActionController::InvalidAuthenticityToken

My Application Controller is

class ApplicationController < ActionController::Base
 protect_from_forgery with: :exception, prepend: true
 before_action :configure_permitted_parameters, if: :devise_controller?

  protected

   def configure_permitted_parameters
     devise_parameter_sanitizer.permit(:sign_up, keys: [:name])
     devise_parameter_sanitizer.permit(:account_update, keys: [:name])
   end

end

And my other BugController is

class BugsController < ApplicationController
  protect_from_forgery prepend: true, with: :exception
  before_action :authenticate_user!
  before_action :set_bug, only: [:show, :edit, :update]

    def update
      respond_to do |format|
      if @bug.update(bug_params)
        format.html { redirect_to @bug, notice: 'Bug was successfully updated.' }
        format.json { render :show, status: :ok, location: @bug }
     else
        format.html { render :edit }
        format.json { render json: @bug.errors, status: :unprocessable_entity }
     end
     end
   end

private
def bug_params
  params.require(:bug).permit(:product, :component, :title, :description, :status_id, :created_by_id, :assigned_to_id)
end


end

Answer 1

As indicated in Devise documentation notes for Rails 5

For Rails 5, note that protect_from_forgery is no longer prepended to the before_action chain, so if you have set authenticate_user before protect_from_forgery , your request will result in "Can't verify CSRF token authenticity." To resolve this, either change the order in which you call them, or use protect_from_forgery prepend: true .

Answer 2

Note : While this answer has the desired effect, it does so by reducing overall security. The below answer by Alon is more correct and maintains the security of the site.

class BugsController < ApplicationController
skip_before_filter :verify_authenticity_token
protect_from_forgery prepend: true, with: :exception
before_action :authenticate_user!
before_action :set_bug, only: [:show, :edit, :update]
end

Like This

Answer 3

I recently hit this in a fairly large way and I found that my error was my application's domain name had recently changed but I forgot to update session_store.rb. That may not be everyone's issue but it will report this as a CSRF error. So please check out config/session_store.rb

Answer 4

I have used something like this and it works for me.

class WelcomeController < ActionController::Base
    protect_from_forgery with: :exception
    before_action :authenticate_model!
end

Answer 5

This decision helped me. I took the decision [from here] [1]. just as for me, the unfortunate name of that topic, using the keywords of error I didn't get there, so I'll give in this thread, because here is the exact name of the error. in my case, I "added" the following line to the application_controller.rb file:

protect_from_forgery with:: null_session

there is a solution where it says "REPLACE" line protect_from_forgery with:: exception , if it exists, to the one I quoted above

[1]: Rails 4 Authenticity Token