CSRF Token not valid after refresh_dom_with_partial

[s-ol]

When I log out and log in without changing the main action again, I get a 422 error:
RailsAjax call failed with error 422 (OK): undefined - undefined

The console shows this:

Started POST "/sessions" for 127.0.0.1 at 2014-05-10 19:09:54 +0200
Processing by SessionsController#create as */*
  Parameters: {"utf8"=>"✓", "name"=>"S0lll0s", "password"=>"[FILTERED]", "commit"=>"Log in"}
Can't verify CSRF token authenticity
Completed 422 Unprocessable Entity in 1ms

The login form is in a partial (userbar) in the layout and gets updated like this when logging out:
refresh_dom_with_partial('aside#userbar', "userbar")

[s-ol]

The Rails-4 autogenerated CSRF-Token metadata in the header looks like this:

<meta content="authenticity_token" name="csrf-param">
<meta content="zBRcZmRkCFO/kKY5l7p+C1MG1MkbFmElJ0i7BeoCVwc=" name="csrf-token">

Maybe the json response should contain a meta-tags dictionary:

{
    "div_contents": {
        "#main": "....."
    },
    "meta_tags": {
        "csrf-token": "<new token>"
    }
}

[Muriel-Salvan]

The "Can't verify CSRF token authenticity" happens sometimes in some POST requests.

I have witnessed it in some automated tests, so it is fully reproducible. I did not have time yet to investigate it further, as it did not seem to alter rails-ajax behavior.

However it is the first time I see a 422 HTTP error linked to it.

Are you using Devise for your authentication mechanism?

As a temporary work-around you can specify to not use rails-ajax for the link or form giving this error by using the :use_rails_ajax => false option.

[s-ol]

No, I'm using the rails 4 native protect_from_forgery with: :exception helper (in ApplicationController) along with <%= csrf_meta_tags %> in the layout.

I have a fixed forked version: https://github.com/S0lll0s/rails-ajax/tree/master/lib/rails-ajax
You should probably modify it to be a little more extensive / expandable though.

I also found that it didn't work with "regular" form submission (via redirect_to)

[Muriel-Salvan]

Thanks a lot for your contribution!

I will have a look at it soon, add specific tests for it, merge it and deliver a new rails-ajax version (should be beginning of June).

[Muriel-Salvan]

Did you have a chance to test using the fixed forked version on
https://github.com/S0lll0s/rails-ajax/tree/master/lib/rails-ajax?

I did not have time yet to merge the fix. Still in the pipe.

On Sat, Aug 16, 2014 at 3:43 AM, Fabio (f1f5) notifications@github.com
wrote:

Hey guys having the same exact problem.. But strangely only in FireFox.
Works fine in Safari and Chrome... Seems to be happening on all
controllers. I am using Devise. Happens on reg#CREATE ses#CREATE pretty
much everything involving a POST req..

Started POST "/learn-more" for 127.0.0.1 at 2014-08-15 21:34:25 -0400
Processing by WelcomeController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"AL5WuJGPPw9jdsbe2G/ns1C/BKV0u1kp/SJnYc5UmaE=", "learn_more"=> {"full_name"=>"", "email"=>"", "phone"=>""}, "button"=>""}
Can't verify CSRF token authenticity
Completed 422 Unprocessable Entity in 6ms

You guys know what's causing this? Thanks!!!

—
Reply to this email directly or view it on GitHub
#11 (comment)
.

Muriel Salvan http://muriel.x-aeon.com
Lead Software Developer, Ruby/Rails expert, Founder of X-Aeon Solutions
http://x-aeon.com and Riviera Ruby http://rivierarb.fr/
X-Aeon Solutions http://x-aeon.com