我正在生产中运行 Rails 应用程序。它仍然是一个概念证明,但我遇到了表单提交的 ActionController::InvalidAuthenticityToken 异常。我的理解是,在 Rails 6(或者可能更早?)中,现在默认调用 protect_from_forgery 回调。为了使其正常工作,我在 config/environments/Production.rb 文件中添加了配置选项 config.action_controller.allow_forgery_protection = false,现在我正在处理重新启用伪造保护,因此我删除了覆盖并尝试提交一些表单(或注销,基本上是使用 POST/PUT/PATCH/DELETE 方法的任何表单)。
我的 ApplicationController 不会手动调用 protect_from_forgery,并且所有 GET 请求似乎都工作正常。我的 application.html.haml 在 %head 中包含以下内容:
= csrf_meta_tags
= csp_meta_tag
我的表单正在使用 bootstrap_form_with 并且表单正在提交一个 authenticity_token 表单参数,该参数与 %head 中的内容相匹配(通过 Chrome 进行验证)开发工具和日志)。当我提交时,我看到响应是 422 错误,日志中出现异常:
[3d603471-3240-4401-a3a2-e9ba3c6ac358] ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
[3d603471-3240-4401-a3a2-e9ba3c6ac358]
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal/request_forgery_protection.rb:217:in `handle_unverified_request'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal/request_forgery_protection.rb:249:in `handle_unverified_request'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] devise (4.7.1) lib/devise/controllers/helpers.rb:255:in `handle_unverified_request'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal/request_forgery_protection.rb:244:in `verify_authenticity_token'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:429:in `block in make_lambda'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:201:in `block (2 levels) in halting'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:202:in `block in halting'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:514:in `block in invoke_before'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:514:in `each'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:514:in `invoke_before'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:110:in `block in run_callbacks'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] ahoy_matey (3.0.1) lib/ahoy/controller.rb:45:in `set_ahoy_request_store'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:121:in `block in run_callbacks'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:139:in `run_callbacks'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/abstract_controller/callbacks.rb:41:in `process_action'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal/rescue.rb:22:in `process_action'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal/instrumentation.rb:33:in `block in process_action'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/notifications.rb:180:in `block in instrument'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/notifications/instrumenter.rb:24:in `instrument'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/notifications.rb:180:in `instrument'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal/instrumentation.rb:32:in `process_action'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal/params_wrapper.rb:245:in `process_action'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activerecord (6.0.2.1) lib/active_record/railties/controller_runtime.rb:27:in `process_action'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/abstract_controller/base.rb:136:in `process'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionview (6.0.2.1) lib/action_view/rendering.rb:39:in `process'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal.rb:191:in `dispatch'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal.rb:252:in `dispatch'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/routing/route_set.rb:51:in `dispatch'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/routing/route_set.rb:33:in `serve'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/routing/mapper.rb:18:in `block in <class:Constraints>'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/routing/mapper.rb:48:in `serve'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/journey/router.rb:49:in `block in serve'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/journey/router.rb:32:in `each'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/journey/router.rb:32:in `serve'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/routing/route_set.rb:837:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] warden (1.2.8) lib/warden/manager.rb:36:in `block in call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] warden (1.2.8) lib/warden/manager.rb:34:in `catch'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] warden (1.2.8) lib/warden/manager.rb:34:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/tempfile_reaper.rb:15:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/etag.rb:25:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/conditional_get.rb:38:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/head.rb:12:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/session/abstract/id.rb:259:in `context'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/session/abstract/id.rb:253:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/cookies.rb:648:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:101:in `run_callbacks'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/debug_exceptions.rb:32:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] turbolinks_render (0.9.17) lib/turbolinks_render/middleware.rb:77:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] railties (6.0.2.1) lib/rails/rack/logger.rb:38:in `call_app'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] railties (6.0.2.1) lib/rails/rack/logger.rb:26:in `block in call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:80:in `block in tagged'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:28:in `tagged'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:80:in `tagged'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] railties (6.0.2.1) lib/rails/rack/logger.rb:26:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] ahoy_matey (3.0.1) lib/ahoy/engine.rb:22:in `call_with_quiet_ahoy'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] request_store (1.5.0) lib/request_store/middleware.rb:19:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/request_id.rb:27:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/method_override.rb:22:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/runtime.rb:22:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/sendfile.rb:111:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/host_authorization.rb:77:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] railties (6.0.2.1) lib/rails/engine.rb:526:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] puma (4.3.1) lib/puma/configuration.rb:228:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] puma (4.3.1) lib/puma/server.rb:681:in `handle_request'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] puma (4.3.1) lib/puma/server.rb:472:in `process_client'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] puma (4.3.1) lib/puma/server.rb:328:in `block in run'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] puma (4.3.1) lib/puma/thread_pool.rb:134:in `block in spawn_thread'
我看到 devise 建议我在伪造保护上使用 prepend,因此我将以下内容添加到 ApplicationController:
protect_from_forgery with: :exception, prepend: true
我有点困惑为什么会发生这种情况,并且当然可以提供更多代码示例,但我不完全确定需要什么。
非常感谢
最佳答案
就我而言,解决此问题需要启用 config/environments/Production.rb 中的选项,如下所示:
config.force_ssl = true
不幸的是,我不确定这是否是唯一的事情,因为我问这个问题已经有一段时间了,但是,在我启用它之后,请求伪造保护开始工作。
关于ruby-on-rails - Rails 6 中的另一个 ActionController::InvalidAuthenticityToken,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59973854/