Authenticity Token change under 2.2.2?

sijomo · December 3, 2008, 1:10am

Hi,

We have the following code which sends a request on unload of one of our
pages. It was working fine until I upgraded to rails 2.2.2, but now is
giving ‘ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):’

Does anyone know what has changed, and what I have to do to get it
working
again?

var req = new XMLHttpRequest();
req.open(“POST”, “<%= url_for(:action => ‘unlock’, :id =>
@current_page.form_data.id) %>”, false);
req.setRequestHeader(“Content-Type”, “text/plain”);
req.setRequestHeader(“X-Requested-With”, “XMLHttpRequest”);
req.send("?authenticity_token="+encodeURIComponent(window._token));

Thanks
Simon

sijomo · December 3, 2008, 6:13am

Well until 2.2.2 text/plain requests weren’t checked at all (this was
a bug) so it’s entirely possible that your code has been broken from
day 1. If you look at the logs does it look like the token was sent
properly?

Fred

Sent from my iPhone

sijomo · December 3, 2008, 7:19am

Hi Fred,

No, the authenticity_token isn’t getting through at all, and I accept
that
the code probably should have never worked as it stands. That said, I
can’t for the life of me figure out how to get the auth token to be
submitted correctly using the XMLHttpRequest object. We have the token
floating around (we use it in other jQuery AJAX calls), but because this
particular code is being called during unload, we need it to be
synchronous, and the jQuery async:false doesn’t appear to work.

Thanks
Simon

On Wed, 03 Dec 2008 14:12:29 +0900, Frederick C.

sijomo · December 3, 2008, 12:15pm

Excellent, works like a charm, thanks for that.

Simon

On Wed, 03 Dec 2008 17:13:50 +0900, Frederick C.

sijomo · December 3, 2008, 9:14am

On Dec 3, 6:18 am, “Simon M.” [email protected] wrote:

Hi Fred,

No, the authenticity_token isn’t getting through at all, and I accept that
the code probably should have never worked as it stands. That said, I
can’t for the life of me figure out how to get the auth token to be
submitted correctly using the XMLHttpRequest object. We have the token
floating around (we use it in other jQuery AJAX calls), but because this
particular code is being called during unload, we need it to be
synchronous, and the jQuery async:false doesn’t appear to work.

Well (I had to look this up since I never use raw XMLHttpRequest) the
parameter to send is the body of the request. When rails gets a text/
plain request it doesn’t parse the the request body for parameters
(since you’ve told it that it’s just a big text file). So either you
could make the type not text/plain (ie application/x-www-form-
urlencoded), and even then you’d want to drop the leading ? in the
body, or you could append it to the url you are requesting (being just
a little bit careful that you glue it on with a & or a ? as
appropriate)

Fred