Eric Larson
2008-Feb-01 17:55 UTC
Turning off InvalidAuthenticityToken for a RESTful Service
Hi, I was trying to write a RESTful service and was planning on testing via tools such as cURL and the basic http libs. With the InvalidAuthenticityToken piece that is turned by default in Rails 2.0.2, I have to provide the token with each request. This is something of a pain for a programmable client that may not make a GET request before performing other actions, specifically POST, PUT and DELETE. Is there a way to turn it off and/or program a client utilizing the cookie without making a GET request first? Thanks! ------ Eric Larson http://ionrock.org/blog/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Eric Larson
2008-Feb-01 18:08 UTC
Re: Turning off InvalidAuthenticityToken for a RESTful Service
Hi All, On Feb 1, 11:55 am, Eric Larson <ionr...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hi, > > I was trying to write a RESTful service and was planning on testing > via tools such as cURL and the basic http libs. With the > InvalidAuthenticityToken piece that is turned by default in Rails > 2.0.2, I have to provide the token with each request. This is > something of a pain for a programmable client that may not make a GET > request before performing other actions, specifically POST, PUT and > DELETE. > > Is there a way to turn it off and/or program a client utilizing the > cookie without making a GET request first? > > Thanks! > > ------ > > Eric Larsonhttp://ionrock.org/blog/Just answering my own post: From http://ryandaigle.com/articles/2007/9/24/what-s-new-in-edge-rails-better-cross-site-request-forging-prevention Add this to controllers to override the default secure cookie check: skip_before_filter :verify_authenticity_token And to disable things completely, add this to application.rb: self.allow_forgery_protection = false Hope it helps someone else! ---- Eric Larson http://ionrock.org/blog/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Rick Olson
2008-Feb-01 19:25 UTC
Re: Turning off InvalidAuthenticityToken for a RESTful Service
On Feb 1, 2008 9:55 AM, Eric Larson <ionrock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > Hi, > > I was trying to write a RESTful service and was planning on testing > via tools such as cURL and the basic http libs. With the > InvalidAuthenticityToken piece that is turned by default in Rails > 2.0.2, I have to provide the token with each request. This is > something of a pain for a programmable client that may not make a GET > request before performing other actions, specifically POST, PUT and > DELETE. > > Is there a way to turn it off and/or program a client utilizing the > cookie without making a GET request first?It shouldn''t be verifying requests unless they''re using the html or js (ajax) formats. XML or JSON should be fine: http://dev.rubyonrails.org/browser/tags/rel_2-0-2/actionpack/lib/action_controller/request_forgery_protection.rb#L82 -- Rick Olson http://lighthouseapp.com http://weblog.techno-weenie.net http://mephistoblog.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---