“ActionController::InvalidAuthenticityToken"使用 form_with 时出错 [英] "ActionController::InvalidAuthenticityToken" error when using form_with

问题描述

我有一个看起来像这样的表单:

I have a form that looks like this:

  <%= form_with(url: star.starname, method: :post, local: true) do |f| %> 
    <% star.availabilities.each do |avail| %> 

    <%= f.label avail.time_slot %> 
      <%= radio_button_tag(:time_slot, avail.time_slot) %> <br>
    <% end %> 

  <%= f.submit "Create" %>
  <% end %> 

表单提交后立即:

注意事项:

• 这发生在应用(而不是 API)中，因此会话很重要，因此必须保持 CSRF 保护.
• 问题出现在 chrome、incognito 和 safari 中.
• 我尝试使用不同的用户登录并清除 cookie(以防它是由过时的令牌引起的)

更多错误信息:

Started POST "/talljohn" for ::1 at 2020-09-16 10:06:21 +1000
Processing by StarsController#book as HTML
  Parameters: {"authenticity_token"=>"P++4a+giwUBqZgCLfMwqKpMu0EGitd8zTOi5RWsnxpKlNcjiuU6hd3ebbIC/IOxlL74RJIvrq+yDuA1ZtfcvFw==", "time_slot"=>"2020-09-16 01:00:00 UTC", "commit"=>"Create", "starname"=>"talljohn"}
Can't verify CSRF token authenticity.
Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms | Allocations: 655)


  
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
  
actionpack (6.0.3.2) lib/action_controller/metal/request_forgery_protection.rb:215:in `handle_unverified_request'
actionpack (6.0.3.2) lib/action_controller/metal/request_forgery_protection.rb:247:in `handle_unverified_request'
devise (4.7.2) lib/devise/controllers/helpers.rb:255:in `handle_unverified_request'
actionpack (6.0.3.2) lib/action_controller/metal/request_forgery_protection.rb:242:in `verify_authenticity_token'
activesupport (6.0.3.2) lib/active_support/callbacks.rb:428:in `block in make_lambda'
activesupport (6.0.3.2) lib/active_support/callbacks.rb:200:in `block (2 levels) in halting'
actionpack (6.0.3.2) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
activesupport (6.0.3.2) lib/active_support/callbacks.rb:201:in `block in halting'

更新

我恢复到表单的最后一个工作版本，它与上面的完全相同，但没有 , local: true.然后它突然起作用了！(没有错误).

Update

I reverted back to the last working version of the form, which was exactly the same as above but without , local: true. Then it suddenly works! (no errors).

我认为 local: true(或 remote: false)只是关闭 ajax 表单提交.所以我不明白为什么这会产生任何差异(或与CSRF有任何关系)，这两个方面似乎无关，并且不清楚为什么这两个概念会相互影响

I thought local: true (or remote: false) simply turns off ajax form submission. So I don't understand why that would make any difference (or have anything to do with CSRF), it seems that those two aspects are unrelated and it isn't clear why these two concepts would have any affect on eachother

我后来意识到另一个未触及的以前工作的表单也产生了这个错误.它没有以任何方式改变.我在 chrome incognito 中尝试过，它产生了错误.半小时后(没有更改任何代码)，我在同一个浏览器中再次尝试并成功.这种(非常)奇怪的行为让我认为这与会话、cookie 或缓存有关.如果我有进一步的了解，我会回来报告

I later realised that another untouched previously working form also produced this error. It had not been changed in any way. I tried it in chrome incognito, and it produced the error. Half an hour later (without changing any code) I tried it again in the same browser and it worked. This (very) strange behaviour makes me think it's something to do with sessions, cookies or caching. I will report back if I learn anything further

阅读莎拉的解决方案后，将 protect_from_forgery prepend: true 添加到应用程序控制器(我试过在 before_action :authenticate_user! 之前和之后，日志中都会出现相同的错误消息，POST 请求未执行，但应用程序重定向到主页.IE.在 POST 我看到:

After reading Sarah's solution adding protect_from_forgery prepend: true to the application controller (I tried both before and after before_action :authenticate_user!), the same error message appears in the logs, the POST request isn't actioned, but the app redirects to the home page. I.e. upon POST I see:

Can't verify CSRF token authenticity.
Completed 401 Unauthorized in 1ms (ActiveRecord: 0.0ms | Allocations: 444)


Started GET "/users/sign_in" for ::1 at 2020-09-17 21:08:42 +1000
Processing by Devise::SessionsController#new as HTML
  User Load (0.5ms)  SELECT "users".* FROM "users" WHERE "users"."id" = $1 ORDER BY "users"."id" ASC LIMIT $2  [["id", 1], ["LIMIT", 1]]
Redirected to http://localhost:3000/
Filter chain halted as :require_no_authentication rendered or redirected
Completed 302 Found in 3ms (ActiveRecord: 0.5ms | Allocations: 1900)

更新 4

我尝试手动清除 rails 片段缓存(使用 Rails.cache.clear ).但是在清除片段缓存之前/之后的结果是完全一样的.

Update 4

I attempted to manually clear the rails fragment cache (with Rails.cache.clear ). But the result is exactly the same before/after clearing the fragment cache.

推荐答案

我记得遇到过这样的事情，并在对 ApplicationControllerprotect_from_forgery prepend: true> 解决了.

I remember running into something like this and adding protect_from_forgery prepend: true before any user authentication to the ApplicationController solved it.

这篇关于“ActionController::InvalidAuthenticityToken"使用 form_with 时出错的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！