ActionController::InvalidAuthenticityToken #3

pjmartorell · 2020-02-03T00:19:24Z

Hi! I'm using a simple app in Rack to forward requests from one server to another server that runs a Rails app, and most requests are working fine except when submitting a form. It's related with the CSRF token.

This is the config.ru of the Rack app:

require 'rack/forward'

raise ArgumentError, 'REMOTE_HOST cannot be blank' if ENV['REMOTE_HOST'].empty?

remote_host = ENV['REMOTE_HOST'].end_with?('/') ? ENV['REMOTE_HOST'] : ENV['REMOTE_HOST'] + '/'

app = Rack::Builder.new do
  use ::Rack::Forward do |req|
    URI.parse(remote_host + req.fullpath)
  end
  run ->(_env) { [200, { 'Content-Type' => 'text/html' }, ['OK']] }
end

run app

And this the error I'm getting:

ActionController::InvalidAuthenticityToken: ActionController::InvalidAuthenticityToken (Most recent call first)
Hide 85 non-project frames
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_controller/metal/request_forgery_protection.rb line 211 in handle_unverified_request
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_controller/metal/request_forgery_protection.rb line 243 in handle_unverified_request
File /railsapp/vendor/bundle/ruby/2.6.0/gems/devise-4.5.0/lib/devise/controllers/helpers.rb line 255 in handle_unverified_request
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_controller/metal/request_forgery_protection.rb line 238 in verify_authenticity_token
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/callbacks.rb line 426 in block in make_lambda
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/callbacks.rb line 198 in block (2 levels) in halting
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/abstract_controller/callbacks.rb line 34 in block (2 levels) in <module:Callbacks>
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/callbacks.rb line 199 in block in halting
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/callbacks.rb line 513 in block in invoke_before
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/callbacks.rb line 513 in each
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/callbacks.rb line 513 in invoke_before
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/callbacks.rb line 131 in run_callbacks
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/abstract_controller/callbacks.rb line 41 in process_action
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_controller/metal/rescue.rb line 22 in process_action
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_controller/metal/instrumentation.rb line 34 in block in process_action
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/notifications.rb line 168 in block in instrument
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/notifications/instrumenter.rb line 23 in instrument
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/notifications.rb line 168 in instrument
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_controller/metal/instrumentation.rb line 32 in process_action
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_controller/metal/params_wrapper.rb line 256 in process_action
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.4.1/lib/active_record/railties/controller_runtime.rb line 24 in process_action
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/abstract_controller/base.rb line 134 in process
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionview-5.2.4.1/lib/action_view/rendering.rb line 32 in process
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_controller/metal.rb line 191 in dispatch
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_controller/metal.rb line 252 in dispatch
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/routing/route_set.rb line 52 in dispatch
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/routing/route_set.rb line 34 in serve
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/journey/router.rb line 52 in block in serve
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/journey/router.rb line 35 in each
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/journey/router.rb line 35 in serve
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/routing/route_set.rb line 840 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/warden-jwt_auth-0.2.1/lib/warden/jwt_auth/middleware/token_dispatcher.rb line 20 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/warden-jwt_auth-0.2.1/lib/warden/jwt_auth/middleware/revocation_manager.rb line 21 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-2.1.1/lib/rack/builder.rb line 176 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rollbar-2.18.2/lib/rollbar/middleware/rack/builder.rb line 16 in block in call_with_rollbar
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rollbar-2.18.2/lib/rollbar.rb line 146 in scoped
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rollbar-2.18.2/lib/rollbar/middleware/rack/builder.rb line 14 in call_with_rollbar
File /railsapp/vendor/bundle/ruby/2.6.0/gems/warden-jwt_auth-0.2.1/lib/warden/jwt_auth/middleware.rb line 23 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-inflater-0.1.0/lib/rack/inflater.rb line 25 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-attack-6.2.2/lib/rack/attack.rb line 170 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-inflater-0.1.0/lib/rack/inflater.rb line 25 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-2.1.1/lib/rack/deflater.rb line 45 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/warden-1.2.8/lib/warden/manager.rb line 36 in block in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/warden-1.2.8/lib/warden/manager.rb line 34 in catch
File /railsapp/vendor/bundle/ruby/2.6.0/gems/warden-1.2.8/lib/warden/manager.rb line 34 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-2.1.1/lib/rack/tempfile_reaper.rb line 17 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-2.1.1/lib/rack/etag.rb line 27 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-2.1.1/lib/rack/conditional_get.rb line 40 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-2.1.1/lib/rack/head.rb line 14 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/http/content_security_policy.rb line 18 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-2.1.1/lib/rack/session/abstract/id.rb line 277 in context
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-2.1.1/lib/rack/session/abstract/id.rb line 271 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/middleware/cookies.rb line 670 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/middleware/callbacks.rb line 28 in block in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/callbacks.rb line 98 in run_callbacks
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/middleware/callbacks.rb line 26 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rollbar-2.18.2/lib/rollbar/middleware/rails/rollbar.rb line 24 in block in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rollbar-2.18.2/lib/rollbar.rb line 146 in scoped
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rollbar-2.18.2/lib/rollbar/middleware/rails/rollbar.rb line 22 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/appsignal-2.8.1/lib/appsignal/rack/rails_instrumentation.rb line 19 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/middleware/debug_exceptions.rb line 61 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rollbar-2.18.2/lib/rollbar/middleware/rails/show_exceptions.rb line 22 in call_with_rollbar
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/middleware/show_exceptions.rb line 33 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.1/lib/rails/rack/logger.rb line 38 in call_app
File /railsapp/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.1/lib/rails/rack/logger.rb line 26 in block in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/tagged_logging.rb line 71 in block in tagged
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/tagged_logging.rb line 28 in tagged
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/tagged_logging.rb line 71 in tagged
File /railsapp/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.1/lib/rails/rack/logger.rb line 26 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/middleware/remote_ip.rb line 81 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/middleware/request_id.rb line 27 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-2.1.1/lib/rack/method_override.rb line 24 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-2.1.1/lib/rack/runtime.rb line 24 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.1/lib/active_support/cache/strategy/local_cache_middleware.rb line 29 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/middleware/executor.rb line 14 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/middleware/static.rb line 127 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-2.1.1/lib/rack/sendfile.rb line 113 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.1/lib/action_dispatch/middleware/ssl.rb line 74 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.1/lib/rails/engine.rb line 524 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/rack-cors-1.1.1/lib/rack/cors.rb line 100 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/puma-3.12.0/lib/puma/configuration.rb line 225 in call
File /railsapp/vendor/bundle/ruby/2.6.0/gems/puma-3.12.0/lib/puma/server.rb line 658 in handle_request
File /railsapp/vendor/bundle/ruby/2.6.0/gems/puma-3.12.0/lib/puma/server.rb line 472 in process_client
File /railsapp/vendor/bundle/ruby/2.6.0/gems/puma-3.12.0/lib/puma/server.rb line 332 in block in run
File /railsapp/vendor/bundle/ruby/2.6.0/gems/puma-3.12.0/lib/puma/thread_pool.rb line 133 in block in spawn_thread

Any clue on how to fix this?

The text was updated successfully, but these errors were encountered:

lonre · 2020-02-03T02:05:12Z

Hi,

just a workaround for this case, maybe you can pre-fetch CSRF token, and then submit with form fields

pjmartorell · 2020-02-05T19:19:40Z

I'm already passing the field of authenticity token but it seems that Rails checks other things apart from the token. I don't think it's easy to bypass

pjmartorell changed the title ~~ActionController::InvalidAuthenticityToken: ActionController::InvalidAuthenticityToken~~ ActionController::InvalidAuthenticityToken Feb 3, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ActionController::InvalidAuthenticityToken #3

ActionController::InvalidAuthenticityToken #3

pjmartorell commented Feb 3, 2020

lonre commented Feb 3, 2020

pjmartorell commented Feb 5, 2020

ActionController::InvalidAuthenticityToken #3

ActionController::InvalidAuthenticityToken #3

Comments

pjmartorell commented Feb 3, 2020

lonre commented Feb 3, 2020

pjmartorell commented Feb 5, 2020