-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't verify CSRF token in production #5298
Comments
Hi @valentin2105, thanks for your submission. Are you able to submit other forms? If so, can you provide a sample app that shows the issue with just Rails & Devise? We've had similar reports of CSRF / AuthenticityToken errors in the past (feel free to search around the issues tracker, it might help) and it always ends up being something else with the environment, another gem interfering, or Rails itself, but never Devise, as it does nothing "special" regarding CSRF that'd cause invalidation/errors. |
Hi @carlosantoniodasilva , I can't try other form because of they are all behind the login form. Here his the mostly empty project, you can clone it and then,
Then you can test login in development, that should work with sqlite. To try in production (you need a PG DB) :
In production you shouldn't be able to create an account, logs are available at logs/production.log |
Hi, |
Hi @mRudzki , I didn't find any solution on this. Thanks a lot ! |
I'm having a similar issue with this, and it seems related to the It seems that it is quite common to skip the line But it seems that this per-form-token is more fragile and it fails when signing_in on some escenarios (it happens to some users, while most users log-in without any issues). I couldn't reproduce the bug myself. |
Is this something that only happens with Devise? I am having a hard time thinking how it could be Devise specific to be honest, but I haven't been able to circle back on this and try to investigate more thoroughly. (and if I'm being honest, I have a list of Devise issues to work through before I can get back to this one, but I wanted to leave a note here with that thought.) |
Yes, it happens only with devise endpoints... I think there are two possible reasons, there is a hook that invalidates the token, so there might be a timing issue and devise does use a different layout, so the head token might not be used.
Also, the action and controller naming on devise is a bit special, and the form token might not work on this case.
El 28 de enero de 2021 15:09:49 ART, Carlos Antonio da Silva <notifications@github.com> escribió:
Is this something that only happens with Devise? I am having a hard time thinking how it could be Devise specific to be honest, but I haven't been able to circle back on this and try to investigate more thoroughly. (and if I'm being honest, I have a list of Devise issues to work through before I can get back to this one, but I wanted to leave a note here with that thought.)
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
#5298 (comment)
--
Enviado desde mi dispositivo Android con K-9 Mail. Por favor, disculpa mi brevedad.
|
@valentin2105 did you ever resolve your csrf issue? Not sure if this helps, but the devise readme docs state: For Rails 5, note that protect_from_forgery is no longer prepended to the before_action chain, so if you have set authenticate_user before protect_from_forgery, your request will result in "Can't verify CSRF token authenticity." To resolve this, either change the order in which you call them, or use protect_from_forgery prepend: true. From your example code, it looks like you may need to change the order of |
What solved it for me was to add the following to settings.py, replacing "<my_domain>" part of course. CSRF_TRUSTED_ORIGINS = ['https://<my_domain>.com'] |
I had a similar issue. It was connected to malformed cookies for rack 3 type applications. I had to upgrade puma to the latest version. |
Check a frequent misstep involves misconfiguring CSRF protection when integrating Devise. Previously, Ensure So, change protect_from_forgery with: :exception to protect_from_forgery with: :exception, prepend: true |
Hello,
Environment
Current behavior
When I setup my app in production mode (in local or in Docker with Postgres), I cannot create a new user and/or login.
here is the logs :
(Everything work fine in Dev environment. )
Expected behavior
Be able to create an account in production environment.
Files :
config/application.rb
app/controllers/application_controller.rb
vars :
Thank you !
The text was updated successfully, but these errors were encountered: