InvalidAuthenticityToken in Rails Shopify app

Question

I have a Shopify app using the shopify_app gem. I am attempted to post a form to an admin page but keep receiving a InvalidAuthenticityToken. I am using Rails 5.1.6 and have set config.action_controller.per_form_csrf_tokens = false to help identify the issue. I have confirmed that meta csrf-token, the authenticity_token form field and the authenticity_token being posted to the server all of the same value.

<meta name="csrf-token" content="FW84k6S5WXpepe+1gADRh+Ly1kBVWrkJohP5QYz54a35KqKZghuciwU0lIlLNRVoHjOM8peOoCqf+HXDDIlMZQ==">


<input type="hidden" name="authenticity_token" value="FW84k6S5WXpepe+1gADRh+Ly1kBVWrkJohP5QYz54a35KqKZghuciwU0lIlLNRVoHjOM8peOoCqf+HXDDIlMZQ==">


Parameters: {"utf8"=>"✓", "authenticity_token"=>"FW84k6S5WXpepe+1gADRh+Ly1kBVWrkJohP5QYz54a35KqKZghuciwU0lIlLNRVoHjOM8peOoCqf+HXDDIlMZQ==", "access_key"=>{"name"=>"A Test", "account"=>""}, "commit"=>"Save", "id"=>"2"}

The controller inherits ShopifyApp::AuthenticatedController and I have removed all before_actions.

Is there a way I log what the expected authenticity_token value should be?

If anyone could offer some guidance it would be highly appreciated.

Thank you.

Answer 1

I just ran into a similar problem with my instance. Check to ensure that your request.base_url is the one that's expected.

In my case, I had to force SSL (in config/environments/{development,production,test}.rb) and pass X-Forwarded-Proto from my proxy to the Rails instance, as there was a conflict between http/https in request.base_url, and it was throwing a CSRF error as a result.

Forcing SSL in environments config:

config.force_ssl = true

nginx proxy_set_header in server block:

proxy_set_header X-Forwarded-Proto $scheme

-- Dave.