Rails - Feb 2008 - Turning off InvalidAuthenticityToken for a RESTful Service

Hi,

I was trying to write a RESTful service and was planning on testing
via tools such as cURL and the basic http libs. With the
InvalidAuthenticityToken piece that is turned by default in Rails
2.0.2, I have to provide the token with each request. This is
something of a pain for a programmable client that may not make a GET
request before performing other actions, specifically POST, PUT and
DELETE.

Is there a way to turn it off and/or program a client utilizing the
cookie without making a GET request first?

Thanks!

------

Eric Larson
http://ionrock.org/blog/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi All,

On Feb 1, 11:55 am, Eric Larson
<ionr...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> Hi,
>
> I was trying to write a RESTful service and was planning on testing
> via tools such as cURL and the basic http libs. With the
> InvalidAuthenticityToken piece that is turned by default in Rails
> 2.0.2, I have to provide the token with each request. This is
> something of a pain for a programmable client that may not make a GET
> request before performing other actions, specifically POST, PUT and
> DELETE.
>
> Is there a way to turn it off and/or program a client utilizing the
> cookie without making a GET request first?
>
> Thanks!
>
> ------
>
> Eric Larsonhttp://ionrock.org/blog/
Just answering my own post:


From
http://ryandaigle.com/articles/2007/9/24/what-s-new-in-edge-rails-better-cross-site-request-forging-prevention

Add this to controllers to override the default secure cookie check:

skip_before_filter :verify_authenticity_token

And to disable things completely, add this to application.rb:

self.allow_forgery_protection = false

Hope it helps someone else!

----
Eric Larson
http://ionrock.org/blog/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Feb 1, 2008 9:55 AM, Eric Larson
<ionrock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
> Hi,
>
> I was trying to write a RESTful service and was planning on testing
> via tools such as cURL and the basic http libs. With the
> InvalidAuthenticityToken piece that is turned by default in Rails
> 2.0.2, I have to provide the token with each request. This is
> something of a pain for a programmable client that may not make a GET
> request before performing other actions, specifically POST, PUT and
> DELETE.
>
> Is there a way to turn it off and/or program a client utilizing the
> cookie without making a GET request first?
It shouldn''t be verifying requests unless they''re using the
html or js
(ajax) formats.  XML or JSON should be fine:

http://dev.rubyonrails.org/browser/tags/rel_2-0-2/actionpack/lib/action_controller/request_forgery_protection.rb#L82


-- 
Rick Olson
http://lighthouseapp.com
http://weblog.techno-weenie.net
http://mephistoblog.com

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---