ActionController :: RegistrationsController中的InvalidAuthenticityToken #create

时间:2014-01-02 02:48:31

标签: ruby-on-rails devise ruby-on-rails-4

您好我正在使用Devise进行用户身份验证,我的新用户注册无效。

这是我得到的错误。

ActionController::InvalidAuthenticityToken

Rails.root: /home/example/app
Application Trace | Framework Trace | Full Trace

Request

Parameters:

{"utf8"=>"✓",
 "user"=>{"email"=>"example@gmail.com",
 "password"=>"[FILTERED]",
 "password_confirmation"=>"[FILTERED]"},
 "x"=>"0",
 "y"=>"0"}

这是我的注册控制器

class RegistrationsController < Devise::RegistrationsController
  prepend_before_filter :require_no_authentication, :only => [ :new, :create, :cancel ]
  prepend_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]

  before_filter :configure_permitted_parameters

  prepend_view_path 'app/views/devise'

  # GET /resource/sign_up
  def new
    build_resource({})
    respond_with self.resource
  end

  # POST /resource
  def create
    build_resource(sign_up_params)

    if resource.save
      if resource.active_for_authentication?
        set_flash_message :notice, :signed_up if is_navigational_format?
        sign_up(resource_name, resource)
        respond_with resource, :location => after_sign_up_path_for(resource)
      else
        set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_navigational_format?
        expire_session_data_after_sign_in!
        respond_with resource, :location => after_inactive_sign_up_path_for(resource)
      end
    else
      clean_up_passwords resource

      respond_to do |format|
        format.json { render :json => resource.errors, :status => :unprocessable_entity }
        format.html { respond_with resource }
      end
    end
  end

  # GET /resource/edit
  def edit
    render :edit
  end

  # PUT /resource
  # We need to use a copy of the resource because we don't want to change
  # the current user in place.
  def update
    self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
    prev_unconfirmed_email = resource.unconfirmed_email if resource.respond_to?(:unconfirmed_email)

    if update_resource(resource, account_update_params)
      if is_navigational_format?
        flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ?
          :update_needs_confirmation : :updated
        set_flash_message :notice, flash_key
      end
      sign_in resource_name, resource, :bypass => true
      respond_with resource, :location => after_update_path_for(resource)
    else
      clean_up_passwords resource
      respond_with resource
    end
  end

  # DELETE /resource
  def destroy
    resource.destroy
    Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
    set_flash_message :notice, :destroyed if is_navigational_format?
    respond_with_navigational(resource){ redirect_to after_sign_out_path_for(resource_name) }
  end

  # GET /resource/cancel
  # Forces the session data which is usually expired after sign
  # in to be expired now. This is useful if the user wants to
  # cancel oauth signing in/up in the middle of the process,
  # removing all OAuth session data.
  def cancel
    expire_session_data_after_sign_in!
    redirect_to new_registration_path(resource_name)
  end

  protected

  # Custom Fields
  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) do |u|
      u.permit(:first_name, :last_name,
        :email, :password, :password_confirmation)
    end
  end

  def update_needs_confirmation?(resource, previous)
    resource.respond_to?(:pending_reconfirmation?) &&
      resource.pending_reconfirmation? &&
      previous != resource.unconfirmed_email
  end

  # By default we want to require a password checks on update.
  # You can overwrite this method in your own RegistrationsController.
  def update_resource(resource, params)
    resource.update_with_password(params)
  end

  # Build a devise resource passing in the session. Useful to move
  # temporary session data to the newly created user.
  def build_resource(hash=nil)
    self.resource = resource_class.new_with_session(hash || {}, session)
  end

  # Signs in a user on sign up. You can overwrite this method in your own
  # RegistrationsController.
  def sign_up(resource_name, resource)
    sign_in(resource_name, resource)
  end

  # The path used after sign up. You need to overwrite this method
  # in your own RegistrationsController.
  def after_sign_up_path_for(resource)
    after_sign_in_path_for(resource)
  end

  # The path used after sign up for inactive accounts. You need to overwrite
  # this method in your own RegistrationsController.
  def after_inactive_sign_up_path_for(resource)
    respond_to?(:root_path) ? root_path : "/"
  end

  # The default url to be used after updating a resource. You need to overwrite
  # this method in your own RegistrationsController.
  def after_update_path_for(resource)
    signed_in_root_path(resource)
  end

  # Authenticates the current scope and gets the current resource from the session.
  def authenticate_scope!
    send(:"authenticate_#{resource_name}!", :force => true)
    self.resource = send(:"current_#{resource_name}")
  end

  def sign_up_params
    devise_parameter_sanitizer.sanitize(:sign_up)
  end

  def account_update_params
    devise_parameter_sanitizer.sanitize(:account_update)
  end
end

这是我的会话控制器

class SessionsController < DeviseController
  prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
  prepend_before_filter :allow_params_authentication!, :only => :create
  prepend_before_filter { request.env["devise.skip_timeout"] = true }

  prepend_view_path 'app/views/devise'

  # GET /resource/sign_in
  def new
    self.resource = resource_class.new(sign_in_params)
    clean_up_passwords(resource)
    respond_with(resource, serialize_options(resource))
  end

  # POST /resource/sign_in
  def create
    self.resource = warden.authenticate!(auth_options)
    set_flash_message(:notice, :signed_in) if is_navigational_format?
    sign_in(resource_name, resource)

    respond_to do |format|
        format.json { render :json => {}, :status => :ok }
        format.html { respond_with resource, :location => after_sign_in_path_for(resource) } 
    end
  end

  # DELETE /resource/sign_out
  def destroy
    redirect_path = after_sign_out_path_for(resource_name)
    signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
    set_flash_message :notice, :signed_out if signed_out && is_navigational_format?

    # We actually need to hardcode this as Rails default responder doesn't
    # support returning empty response on GET request
    respond_to do |format|
      format.all { head :no_content }
      format.any(*navigational_formats) { redirect_to redirect_path }
    end
  end


  protected

  def sign_in_params
    devise_parameter_sanitizer.sanitize(:sign_in)
  end

  def serialize_options(resource)
    methods = resource_class.authentication_keys.dup
    methods = methods.keys if methods.is_a?(Hash)
    methods << :password if resource.respond_to?(:password)
    { :methods => methods, :only => [:password] }
  end

  def auth_options
    { :scope => resource_name, :recall => "#{controller_path}#new" }
  end
end

这是注册表格

<%= form_for(:user, :html => {:id => 'register_form'}, :url => user_registration_path, :remote => :true, :format => :json) do |f| %>

    <div class="name_input_container">
        <div class="name_input_cell">


    <%= f.email_field :email, :placeholder => "email" %>


    <%= f.password_field :password, :placeholder => "password", :title => "8+ characters" %>


    <%= f.password_field :password_confirmation, :placeholder => "confirm password" %>


    <div class="option_buttons">
        <div class="already_registered">
            <%= link_to 'already registered?', '#', :class => 'already_registered', :id => 'already_registered', :view => 'login' %>
        </div>
        <%= image_submit_tag('modals/account/register_submit.png', :class => 'go') %>
        <div class="clear"></div>
    </div>
<% end %>

8 个答案:

答案 0 :(得分:103)

核心application_controller.rb中的每{{}}},将protect_from_forgery设置为以下内容:

protect_from_forgery with: :null_session

或者,根据the comments,在没有protect_from_forgery参数的情况下声明:with 将默认使用:null_session

protect_from_forgery # Same as above

<强>更新

这似乎是Devise行为中的the docs。 Devise documented bug的作者关于引发此异常的特定控制器操作:

# app/controllers/users/registrations_controller.rb
class RegistrationsController < Devise::RegistrationsController
  skip_before_filter :verify_authenticity_token, :only => :create
end

答案 1 :(得分:32)

您忘记在布局文件中添加<%= csrf_meta_tags %>

e.g:

<!DOCTYPE html>
<html>
<head>
<title>Sample</title>
<%= stylesheet_link_tag "application", media: "all", "data-turbolinks-track" => true %>
<%= javascript_include_tag "application", "data-turbolinks-track" => true %>
<%= csrf_meta_tags %>
</head>
<body>

<%= yield %>

</body>
</html>

答案 2 :(得分:20)

TLDR:您可能会看到此问题,因为您的表单是通过XHR提交的。

首先要做的事情很少:

  1. Rails在页面的head标记内包含CSRF令牌。
  2. 只要您执行POST,PATCH或DELETE请求,Rails就会评估此CSRF令牌。
  3. 当您登录或退出
  4. 时,此标记过期

    沼泽标准HTTP登录将导致整页刷新,旧的CSRF令牌将刷新替换与Rails创建的全新版本你登录了。

    AJAX登录将刷新页面,因此现在无效的硬件陈旧的CSRF令牌仍然存在于您的页面上。

    解决方案是在AJAX登录后手动更新HEAD标记内的CSRF令牌。


    我从一个有用的thread on this matter无耻地借用了一些步骤。

    步骤1:将新的CSRF令牌添加到成功登录后发送的响应标头

    class SessionsController < Devise::SessionsController
    
      after_action :set_csrf_headers, only: :create
    
      # ...
    
      protected
        def set_csrf_headers
          if request.xhr?
            # Add the newly created csrf token to the page headers
            # These values are sent on 1 request only
            response.headers['X-CSRF-Token'] = "#{form_authenticity_token}"
            response.headers['X-CSRF-Param'] = "#{request_forgery_protection_token}"
          end
        end
      end
    

    第2步:ajaxComplete事件触发时,使用jQuery使用新值更新页面:

    $(document).on("ajaxComplete", function(event, xhr, settings) {
      var csrf_param = xhr.getResponseHeader('X-CSRF-Param');
      var csrf_token = xhr.getResponseHeader('X-CSRF-Token');
    
      if (csrf_param) {
        $('meta[name="csrf-param"]').attr('content', csrf_param);
      }
      if (csrf_token) {
        $('meta[name="csrf-token"]').attr('content', csrf_token);
      }
    });
    

    就是这样。 YMMV取决于您的Devise配置。我怀疑这个问题最终是由于旧的CSRF令牌正在杀死请求,并且rails引发了异常。

答案 3 :(得分:11)

如果您只使用API​​,则应尝试:

class ApplicationController < ActionController::Base
  protect_from_forgery unless: -> { request.format.json? }
end

http://edgeapi.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html#method-i-protect_against_forgery-3F

答案 4 :(得分:11)

对于Rails 5,可能是由于protect_from_forgerybefore_actions被触发的顺序。

我最近遇到了类似的情况,即使protect_from_forgery with: :exceptionApplicationController的第一行,before_action仍在干扰。

解决方案是改变:

protect_from_forgery with: :exception

为:

protect_from_forgery prepend: true, with: :exception

这里有关于它的博客文章http://blog.bigbinary.com/2016/04/06/rails-5-default-protect-from-forgery-prepend-false.html

答案 5 :(得分:4)

浏览器缓存HTML问题(2020)

如果您已尝试过此页上的所有补救措施,但仍遇到InvalidAuthenticityToken异常的问题,则可能与浏览器缓存HTML有关。 an issue on Github包含100条注释以及一些可复制的代码。简而言之,这就是与HTML缓存相关的我所发生的事情:

  1. 用户浏览到网站。 Rails在第一个GET请求上设置一个签名的会话cookie。有关配置选项,请参见config/initializers/session_store.rb。该会话cookie存储有用的信息,包括用于解密和验证请求真实性的CSRF令牌。重要提示:默认情况下,会话cookie将在浏览器窗口关闭时过期。
  2. 用户浏览到包含表单的页面。对我来说,我在登录页面上收到的例外最多。
  3. Rails在此表单中嵌入隐藏的CSRF令牌,并将此令牌与表单数据一起提交。重要提示:此令牌已嵌入HTML。
  4. ActionController从params对象中获取CSRF令牌,并使用Rails 4.2+中的verified_request?方法通过cookie中的CSRF令牌对其进行验证。

许多浏览器现在都在实现HTML缓存,因此,当您打开页面时,无需请求即可加载HTML。不幸的是,当关闭浏览器时,会话cookie被销毁,因此,如果用户在窗体(例如登录页面)上时关闭浏览器,则第一个请求将不包含CSRF令牌,从而引发InvalidAuthenticityError。

两种常见解决方案

  1. 将会话cookie的有效期延长到浏览器窗口之外。
  2. 如果缺少会话cookie(通过代理cookie),请在浏览器中进行检测;如果缺少会话cookie,请刷新页面。

1。延长会话Cookie的有效期

如本Github comment中所述,Django采用了以下方法:

Django将标记添加到其自己的称为CSRF_COOKIE的cookie中。这是一个永久性Cookie,一年内到期。如果发出后续请求,则cookie的有效期将更新。

在Rails中:

# config/initializers/session_store.rb 
Rails.application.config.session_store :cookie_store, expire_after: 14.days

与安全相关的许多事情,concern可能会造成漏洞,但是我无法找到攻击者如何利用此漏洞的任何示例。

2。使用JavaScript刷新页面

此方法涉及设置一个单独的令牌,该令牌可以由浏览器读取,如果不存在该令牌,则刷新页面。因此,当浏览器加载缓存的HTML(没有会话cookie),在页面上执行JS时,可以重定向用户或刷新HTML。

例如,为每个不受保护的请求设置一个cookie:

# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  after_action :set_csrf_token

  def set_csrf_token
    cookies['XSRF-TOKEN'] = form_authenticity_token if protect_against_forgery?
  end
end

在JS中检查此cookie:

const hasCrossSiteReferenceToken = () => document.cookie.indexOf('XSRF-TOKEN') > -1;

if (!hasCrossSiteReferenceToken()) {
    location.reload();
}

这将强制浏览器刷新。

结论

我希望这可以帮助一些人。这个错误使我花了很多天的时间。如果仍有问题,请考虑阅读以下内容:

答案 6 :(得分:2)

您必须在执行操作之前将protect_from_forgery置于用户身份验证之前。这是正确的解决方案

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
  before_action :authenticate_user!
end

答案 7 :(得分:0)

只是整个上午都在调试它,所以我想在这里分享一下,以防在将rails升级到5.2或6时遇到类似的问题。

我有2个问题

1)无法验证CSRF令牌的真实性。

,并且在添加跳过验证后,

2)请求将会通过,但用户仍未登录。

我不是在开发中缓存

  if Rails.root.join('tmp', 'caching-dev.txt').exist?
    config.action_controller.perform_caching = true
    config.action_controller.enable_fragment_cache_logging = true

    config.cache_store = :memory_store
    config.public_file_server.headers = { 'Cache-Control' => "public, max-age=#{2.days.to_i}" }
  else
    config.action_controller.perform_caching = false

    config.cache_store = :null_store
  end

在session_store中

config.session_store :cache_store,  servers: ... 
    
    

我猜应用程序正在尝试将会话存储在缓存中,但是它为空-因此它没有登录。I我运行后

bin/rails dev:cache

开始缓存-登录开始工作。

您可能需要

  • 旋转master.key
  • 旋转凭据.yml.enc
  • 删除secrets.yml