Forum: Ruby on Rails Authenticity Token change under 2.2.2?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Simon M. (Guest)
on 2008-12-03 02:10
(Received via mailing list)
Hi,

We have the following code which sends a request on unload of one of our
pages. It was working fine until I upgraded to rails 2.2.2, but now is
giving 'ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):'

Does anyone know what has changed, and what I have to do to get it
working
again?

var req = new XMLHttpRequest();
req.open("POST", "<%= url_for(:action => 'unlock', :id =>
@current_page.form_data.id) %>", false);
req.setRequestHeader("Content-Type", "text/plain");
req.setRequestHeader("X-Requested-With", "XMLHttpRequest");
req.send("?authenticity_token="+encodeURIComponent(window._token));


Thanks
Simon
Frederick C. (Guest)
on 2008-12-03 07:13
(Received via mailing list)
Well until 2.2.2 text/plain requests weren't checked at all (this was
a bug) so it's entirely possible that your code has been broken from
day 1. If you look at the logs does it look like the token was sent
properly?

Fred

Sent from my iPhone
Simon M. (Guest)
on 2008-12-03 08:19
(Received via mailing list)
Hi Fred,

No, the authenticity_token isn't getting through at all, and I accept
that
the code probably should have never worked as it stands. That said, I
can't for the life of me figure out how to get the auth token to be
submitted correctly using the XMLHttpRequest object. We have the token
floating around (we use it in other jQuery AJAX calls), but because this
particular code is being called during unload, we need it to be
synchronous, and the jQuery async:false doesn't appear to work.

Thanks
Simon

On Wed, 03 Dec 2008 14:12:29 +0900, Frederick C.
Frederick C. (Guest)
on 2008-12-03 10:14
(Received via mailing list)
On Dec 3, 6:18 am, "Simon M." <removed_email_address@domain.invalid> wrote:
> Hi Fred,
>
> No, the authenticity_token isn't getting through at all, and I accept that  
> the code probably should have never worked as it stands. That said, I  
> can't for the life of me figure out how to get the auth token to be  
> submitted correctly using the XMLHttpRequest object. We have the token  
> floating around (we use it in other jQuery AJAX calls), but because this  
> particular code is being called during unload, we need it to be  
> synchronous, and the jQuery async:false doesn't appear to work.
>

Well (I had to look this up since I never use raw XMLHttpRequest) the
parameter to send is the body of the request. When rails gets a text/
plain request it doesn't parse the the request body for parameters
(since you've told it that it's just a big text file). So either you
could make the type not text/plain  (ie application/x-www-form-
urlencoded), and even then you'd want to drop the leading ? in the
body, or you could append it to the url you are requesting (being just
a little bit careful that you glue it on with a & or a ? as
appropriate)

Fred
Simon M. (Guest)
on 2008-12-03 13:15
(Received via mailing list)
Excellent, works like a charm, thanks for that.

Simon

On Wed, 03 Dec 2008 17:13:50 +0900, Frederick C.
This topic is locked and can not be replied to.