search

learnenough / rails_tutorial_sample_app_7th_ed

The reference sample app for the Ruby on Rails Tutorial (7th edition) by Michael Hartl
Other
75 stars 52 forks source link

Chapter 8.3 issue with CSRF when using delete to sessions#destroy #3

Open dennisharrison opened 2 years ago

dennisharrison commented 2 years ago

https://github.com/learnenough/rails_tutorial_sample_app_7th_ed/blob/main/app/views/layouts/_header.html.erb#L29

snip from the console output:

Started DELETE "/logout" for 172.22.144.1 at 2022-05-21 14:13:25 -0500
Cannot render console from 172.22.144.1! Allowed networks: 127.0.0.0/127.255.255.255, ::1
Processing by SessionsController#destroy as TURBO_STREAM
Can't verify CSRF token authenticity.
Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms | Allocations: 459)

ActionController::InvalidAuthenticityToken (Can't verify CSRF token authenticity.):

actionpack (7.0.3) lib/action_controller/metal/request_forgery_protection.rb:251:in `handle_unverified_request'
actionpack (7.0.3) lib/action_controller/metal/request_forgery_protection.rb:284:in `handle_unverified_request'
actionpack (7.0.3) lib/action_controller/metal/request_forgery_protection.rb:273:in `verify_authenticity_token'
dennisharrison commented 2 years ago

Downloaded sample code and it's not showing the same behavior. I guess I get to learn how to debug this :)

dennisharrison commented 2 years ago

OK, so putting: https://github.com/learnenough/rails_tutorial_sample_app_7th_ed/blob/main/app/views/layouts/application.html.erb#L7-L8

into the _rails_default.html.erb and rendering it as suggested in 5.18 causes this error. Not using the partial to render the CSRF and doing like you have in the application.html.erb in this repository works fine. 🤷‍♂️

Cheers!