Ruby-on-rails 无法验证 CSRF 令牌真实性 Rails 4.1
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/23377648/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Can't verify CSRF token authenticity Rails 4.1
提问by torresomar
I am developing a simple site which lets admins create questions and users solve them. I use ActiveAdmin for the admin part and simple AJAX calls for the user solving part. Trying to login via ActiveAdmin::Devise was successful at first but login out was not possible. I erased all cookies and since then I am not able to make POST actions without a CSRF token authenticity exception. I have the correct meta_tags within the head of my application.html.erb, declared jquery_ujs (other threads say its a common issue) and in both POST actions the authenticity token exists. I tried even avoiding the verification via skip_before_filter :verify_authenticity_tokenbut the ActiveAdmin Login and POST Example continue failing. The logs are below, you can see that the tokens exist. I also show the Gemfile in case that any of those break something with the CSRF.
我正在开发一个简单的网站,让管理员创建问题并让用户解决它们。我在管理部分使用 ActiveAdmin,对用户解决部分使用简单的 AJAX 调用。最初尝试通过 ActiveAdmin::Devise 登录是成功的,但无法登出。我删除了所有 cookie,从那以后我无法在没有 CSRF 令牌真实性异常的情况下进行 POST 操作。我在 application.html.erb 的头部有正确的 meta_tags,声明了 jquery_ujs(其他线程说这是一个常见问题),并且在两个 POST 操作中都存在真实性令牌。我什至尝试通过skip_before_filter :verify_authenticity_token避免验证但 ActiveAdmin 登录和 POST 示例继续失败。日志如下,您可以看到令牌存在。我还展示了 Gemfile,以防其中任何一个破坏了 CSRF 的某些内容。
- Rails Version [4.1.0]
- Ruby Version [2.1]
- Phusion Passenger Version [4.0.41]
- Rails 版本 [4.1.0]
- 红宝石版本 [2.1]
- Phusion 乘客版 [4.0.41]
Thanks in advance.
提前致谢。
application.html.erb
应用程序.html.erb
<head>
<title>Introducción Matematicas</title>
<%= stylesheet_link_tag "application", media: "all"%>
<%= javascript_include_tag "application", "data-turbolinks-track" => true %>
<link href="http://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700|Roboto+Slab:300,400" rel="stylesheet" type="text/css">
<%= csrf_meta_tags %>
</head>
application.js
应用程序.js
//= require jquery
//= require jquery_ujs
//= require_tree ../../../vendor/assets/javascripts/.
//= require_tree .
Aplication Controller
应用控制器
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :null_session
#skip_before_filter :verify_authenticity_token
before_filter :configure_permitted_parameters, if: :devise_controller?
protected
def configure_permitted_parameters
devise_parameter_sanitizer.for(:sign_up) do |u|
u.permit :name,:college, :email, :password, :password_confirmation
end
end
end
Admin Login Log
管理员登录日志
INFO -- : Processing by ActiveAdmin::Devise::SessionsController#create as HTML
INFO -- : Parameters: {"utf8"=>"?", "authenticity_token"=>"aRZK3470X6+FJPANEuHAiwVW4NZwMzCkXtoZ1qlhQ0o=", "admin_user"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Login"}
WARN -- : Can't verify CSRF token authenticity
INFO -- : Completed 401 Unauthorized in 110ms
INFO -- : Processing by ActiveAdmin::Devise::SessionsController#new as HTML
INFO -- : Parameters: {"utf8"=>"?", "authenticity_token"=>"aRZK3470X6+FJPANEuHAiwVW4NZwMzCkXtoZ1qlhQ0o=", "admin_user"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Login"}
WARN -- : Can't verify CSRF token authenticity
INFO -- : Rendered vendor/cache/ruby/2.1.0/bundler/gems/active_admin-a460d8d2ab37/app/views/active_admin/devise/shared/_links.erb (2.0ms)
INFO -- : Rendered vendor/cache/ruby/2.1.0/bundler/gems/active_admin-a460d8d2ab37/app/views/active_admin/devise/sessions/new.html.erb within layouts/active_admin_logged_out (73.0ms)
INFO -- : Completed 200 OK in 302ms (Views: 80.2ms | ActiveRecord: 0.0ms)
Simple POST via AJAX Log
通过 AJAX 日志的简单 POST
INFO -- : Processing by QuestionsController#check_question as JS
INFO -- : Parameters: {"utf8"=>"?", "que_id"=>"44", "authenticity_token"=>"CjaAx+B36JPc1PUIhta0vIuOTKX4UhrFWlmYHAd+KWY=", "question"=>{"id"=>"169"}, "commit"=>"Verificar Respuesta", "id"=>"6"}
WARN -- : Can't verify CSRF token authenticity
INFO -- : Rendered answers/_answer.html.erb (1.2ms)
INFO -- : Rendered questions/check_question.js.erb (17.0ms)
INFO -- : Completed 200 OK in 94ms
Gemfile
文件
source 'https://rubygems.org'
gem 'rails', '4.1.0'
#gem 'ckeditor'
gem 'mysql2', "0.3.15"
gem 'devise'
gem 'activeadmin', github: 'gregbell/active_admin'
gem 'sass-rails', '~> 4.0.0'
gem 'uglifier', '>= 1.3.0'
gem 'execjs'
gem 'therubyracer'
gem 'coffee-rails', '~> 4.0.0'
gem 'jquery-rails'
gem 'turbolinks'
gem 'jbuilder', '~> 1.2'
group :doc do
gem 'sdoc', require: false
end
gem 'minitest'
回答by jefflunt
skip_before_filter :verify_authenticity_token
skip_before_filter :verify_authenticity_token
Whoa,don't do this. That's a total hack, and if you leave that in your code accidentally you've just created a serious security problem.
哇,不要这样做。这完全是一种黑客行为,如果您不小心将其留在代码中,则会造成严重的安全问题。
So, why did you delete your cookies? If I read your question correctly it's because your logout function was broken? How about you find out why logout isn't working and fix that instead. Probably not a good idea to go and create another problem (bypassing CSRF authentication) instead of fixing the original problem.
那么,你为什么要删除你的cookies?如果我正确阅读了您的问题,那是因为您的注销功能已损坏?您如何找出注销不起作用的原因并修复它。去创建另一个问题(绕过 CSRF 身份验证)而不是修复原始问题可能不是一个好主意。
In the meantime restart the local development server and start a new tab in your browser. See if that makes the CSRF stuff at least go away and then go back to the logout problem.
同时重新启动本地开发服务器并在浏览器中启动一个新选项卡。看看这是否会使 CSRF 的东西至少消失,然后回到注销问题。
回答by Nate Cheng
Usually, you will have this issue when calling from AJAX. You can simply put to send the token along with the post
通常,从 AJAX 调用时会遇到此问题。您可以简单地将令牌与帖子一起发送
headers : {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content') // X-CSRF-TOKEN is used for Ruby on Rails Tokens
}
in your ajax post call, and be sure you have
在您的 ajax 帖子调用中,并确保您有
<%= csrf_meta_tags %>
in your HTML.
在您的 HTML 中。
Don't ever use this
永远不要使用这个
skip_before_filter :verify_authenticity_token
回答by Muaaz Rafi
Simply add the below gem https://github.com/jsanders/angular_rails_csrfit will take of the rest.
只需添加以下 gem https://github.com/jsanders/angular_rails_csrf它将占用其余部分。
