Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using Rails 5.2.0.beta2, getting Can't verify CSRF token authenticity. #105

Closed
archonic opened this issue Jan 26, 2018 · 7 comments
Closed

Comments

@archonic
Copy link

archonic commented Jan 26, 2018

I believe there's a Rails 5 change which is stopping the webhook from being processed by StripeEvent::WebhookController#event due to protect_from_forgery. https://github.com/plataformatec/devise#controller-filters-and-helpers

I needed to bring the whole StripeEvent::WebhookController into my application in order to stick skip_before_action :verify_authenticity_token in there.

Can anyone else verify this issue?

@rmm5t
Copy link
Member

rmm5t commented Jan 26, 2018

🤔Not sure I'm fully understanding the issue yet, but I'll try...

Where is your protect_from_forgery currently set? It should only be set on your custom ApplicationController. It sounds like you might be adding it directly to ActionController::Base, which would be a mistake.

The StripeEvent::WebhookController inherits from ActionController::Base, not ApplicationController, so if pretect_from_forgery is in the correct place, there shouldn't be any issues.

If I'm way off base here, I'm going to need more information. What exact error are you experiencing? Why did you think you needed to move the StripeEvent::WebhookController into your application to fix things? Are you saying that something that worked in Rails 5.1 now no longer works Rails 5.2?

@archonic
Copy link
Author

protect_from_forgery with: :exception is in my ApplicationController. I'm not overriding ActionController::Base.

I setup my local application to receive Stripe's test webhooks and was getting the error Can't verify CSRF token authenticity. I don't believe I fully tested this when I was on 5.1, but in 5.2.0.beta2, it appears that CSRF verification is happening at the ActionController::Base level.

My app is here: https://github.com/archonic/limestone.

@rmm5t
Copy link
Member

rmm5t commented Jan 29, 2018

Reading the Rails 5.2.0.beta1 CHANGELOG:

Protect from forgery by default

Rather than protecting from forgery in the generated ApplicationController, add it to ActionController::Base depending on config.action_controller.default_protect_from_forgery. This configuration defaults to false to support older versions which have removed it from their ApplicationController, but is set to true for Rails 5.2.


# config/initializers/new_framework_defaults_5_2.rb
Rails.application.config.action_controller.default_protect_from_forgery = true

I guess engines (like stripe_event) are going to have to sniff for Rails.application.config.action_controller.default_protect_from_forgery, and if true, only add skip_before_action :verify_authenticity_token.

We need a Rails 5.2 variation added to the build matrix anyway. I'll see if I can get stripe_event ready for Rails 5.2 tomorrow.

If anyone can think of a better approach, please do chime in.

@archonic
Copy link
Author

That accommodates default_protect_from_forgery preferences and makes a minimal change to get things working. Sounds good to me!

@rmm5t
Copy link
Member

rmm5t commented Jan 31, 2018

@archonic Changes made.If you could please test your application against the master branch, that would be really helpful.

  gem "stripe_event", github: "integrallis/stripe_event"

Once I get confirmation, I'm happy to release a new official version out to rubygems.

@archonic
Copy link
Author

@rmm5t Tested and works 👍 . Thanks!

@rmm5t
Copy link
Member

rmm5t commented Jan 31, 2018

Tested and works 👍 . Thanks!

@archonic Thanks. Rock on. 🤘 Very happy about that.

I just released v2.1.1. Don't ask what happened to v2.1.0. 😞I made a dumb mistake and had to immediately yank that release from rubygems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants