无法验证 CSRF 令牌的真实性

【问题标题】:Can't verify CSRF token autenticity无法验证 CSRF 令牌的真实性
【发布时间】:2017-01-23 05:37:59
【问题描述】:

我正在尝试安装 Mollie API,但我没有让 webhook 正常工作。我在 Ruby on Rails 4 中工作。它一直说 无法验证 CSRF 令牌真实性。我尝试了stackoverflow的几个答案,但它们不起作用。例如。

  • skip_before_filter :verify_authenticity_token
  • protect_from_forgery 除外:[:notify]
  • protect_from_forgery with: :null_session, if: -> {request.format.json?}

我的通知控制器看起来像:

class ReservationsController < ApplicationController
    before_action :authenticate_user!, except: [:notify]

    skip_before_filter :verify_authenticity_token

    def preload
        training = Training.find(params[:training_id])
        today = Date.today
        reservations = training.reservations.where("date >= ?", today)

        render json: reservations
    end

    def create



        @thrill = Thrill.find(params[:thrill_id])
        if @thrill.reservations.length < @thrill.training.tr_max_attendants
            @reservation = current_user.reservations.create(reservation_params)

            if @reservation

                require 'Mollie/API/Client'

                mollie = Mollie::API::Client.new('test_gUejkz43UkdeCauC22J6UNqqVRdpwW')

                payment = mollie.payments.create(
                    amount: 10.00,
                    description: 'My first API payment',
                    redirect_Url: 'http://d7459af1.ngrok.io/your_trips',
                    webhookUrl: 'http://d7459af1.ngrok.io/notify',
                    metadata: {
                        reservationid: @reservation.id
                    }
                )



                @reservation.update_attributes payid:payment.id

                redirect_to payment.payment_url


            else
                redirect_to @thrill.training, notice: "Helaas, de training is vol"
            end
        end
    end

    protect_from_forgery except: [:notify]
#   protect_from_forgery with: :null_session, if: -> {request.format.json?}

    def notify

        require 'Mollie/API/Client'

        mollie = Mollie::API::Client.new('test_gUejkz43UkdeCauC22J6UNqqVRdpwW')

        payment = mollie.payments.get(payment.id)

        params.permit!
        status = params[:payment_status]

        if payment.paid?

          reservation = Reservation.find(params[:payid])
          reservation.update_attributes status:true
        else
            reservation.destroy
        end

        render nothing: true

    end

    protect_from_forgery except: [:your_trips]
    def your_trips
        @reservations = current_user.reservations.joins(:thrill).order('thrills.thrilldate asc').where('? <= thrills.thrilldate', Date.today)
    end

    def your_reservations
        @trainings = current_user.trainings
    end

    private
        def reservation_params

            params.permit(:thrill_id, :user_id)
        end


    end

如果有人有提示或提示,将不胜感激! 谢谢!

【问题讨论】:

  • 嗨,克里斯。如果您是 Rails 新手:您在此处发布的代码看起来不像常规的 Rails 控制器。你能在你的通知控制器中发布所有代码吗?我希望它以class NotifyController &lt; ApplicationController 开头
  • 您好 Mauddev,感谢您的评论。我确实对此很陌生,我添加了完整的控制器。希望你能有所作为。

标签: ruby-on-rails ruby csrf mollie


【解决方案1】:

您需要在控制器的最顶部调用protect_from_forgery,或者您可以删除ApplicationController 中的protect_from_forgery 调用。

例子:

class ReservationsController < ApplicationController
    before_action :authenticate_user!, except: [:notify]

    skip_before_filter :verify_authenticity_token

    protect_from_forgery except: [:notify, :your_trips]

    # actions go below here

请注意,您可以将多个操作传递给:except 参数

旁注:如果您正在开发仅 JSON API 的应用程序,我建议您查看 Rails API: https://github.com/rails-api/rails-api

【讨论】:

    猜你喜欢
    • 2017-07-15
    • 2015-07-24
    • 2014-06-16
    • 2012-05-08
    • 2015-12-29
    • 2023-03-26
    • 2016-09-17
    • 2017-07-19
    • 2016-04-23
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode