Open Talha345 opened 1 month ago
@Talha345 nothing has changed around this for many years. I think there is something specific to your app.
@justin808 Could be but do you have any suggestion on how to deal with this scenario. I will try to explain my specific scenario in detail:
csrf_meta_tags
are added via the layout.NOTE: In older versions of Rails, a single CSRF token was used for each session but since recent versions, we have a new CSRF token for each new request.
Solution for anyone having the same issue:
after_action :add_csrf_token_to_json_request_header
private
def add_csrf_token_to_json_request_header
if request.format == :json && !request.get? && protect_against_forgery?
response.headers['X-CSRF-Token'] = form_authenticity_token
end
end
if (response.headers['x-csrf-token']) {
setAuthenticityToken(response.headers['x-csrf-token'])
}
export function setAuthenticityToken(token) {
const metaTag = document.querySelector("meta[name='csrf-token']");
metaTag.setAttribute('content', token)
}
Took inspiration from https://stackoverflow.com/questions/33941864/rails-automatically-update-csrf-token-for-repeat-json-request
@Talha345 @Judahmeek @alexeyr-ci Should this go into the docs? If so, could one of you submit a PR and I'll merge it.
I am using
ReactOnRails.authenticityToken();
to get the CSRF token generated bycsrf_meta_tags
. The problem is that when I send first request, it works fine as the token is valid. Whenever I send any subsequent API request, it returns the previously invalidated CSRF token and therefore I getActionController::InvalidAuthenticityToken
. How can I refresh the CSRF token after each API request?