/api/filters route produces InvalidAuthenticityToken error when POST not sent from MS domain

[makyen]

The following POST request results in an "InvalidAuthenticityToken" error (screenshot) when it's sent from a script running in a page from domains other than https://metasmoke.erwaysoftware.com/ (e.g. https://chat.stackexchange.com or https://stackoverflow.com).

$.post('https://metasmoke.erwaysoftware.com/api/filters', {fields: ['reasons.id']}).done((result) => console.log('result:', result)).fail((fail) => {console.log('fail:', fail); $(document.documentElement).html(fail.responseText);});

This was initially encountered when trying to POST to this route from FIRE and passing FIRE's key and a valid token (the token works fine to submit feedback and flag). This can be tested from a chat page where FIRE runs with the following command:

$.post('https://metasmoke.erwaysoftware.com/api/filters', {fields: ['announcements.id', 'announcements.text', 'announcements.expiry'], key:fire.api.ms.key, token:fire.userData.metasmokeWriteToken}).done((result) => console.log('result:', result)).fail((fail) => {console.log('fail:', fail); $(document.documentElement).html(fail.responseText);});

[angussidney]

The filters page indicates that:

it's possible to generate your own filters on the fly

which suggests that you should be able to do it via API request. Possibly some sort of authentication bug?

[Undo1]

@ArtOfCode- Any idea what this is about? It's like it completely ignores the skip_before_action.

[ArtOfCode-]

@Undo1 does your commit not fix it?

[Undo1]

It didn't, @ArtOfCode-. Deployed it and tested with the repro JS, same error. Reverted now.

[ArtOfCode-]

bc49db7d0da690269cfb26fff9bce33f27882d50 (above) appears to fix it... don't know why this didn't work when @Undo1 tried, but calling this fixed - reopen if not.