CSRF Rails Issue

daniel40392 · May 27, 2024, 8:53pm

Hi folks, I’ve tried to start a rails application from scratch, and add in the elements from the rails quickstart guide but its failing. I’m not sure whats wrong. I’ve tried multiple approaches and none seem to work - I currently get a 422 error every time I attempt to login via omniauth.

I’ve a copy of the project @ https://github.com/dan-mcm/ultima-api for reference. I dont understand whats wrong.

The stack trace looks like the following, seemingly suggesting some CSRF issue but this makes no sense as the default ruby quickstart app works fine.

Started POST "/auth/auth0" for 172.29.0.1 at 2024-05-27 20:46:01 +0000
D, [2024-05-27T20:46:01.594757 #1] DEBUG -- omniauth: (auth0) Request phase initiated.
E, [2024-05-27T20:46:01.595241 #1] ERROR -- omniauth: (auth0) Authentication failure! ActionController::InvalidAuthenticityToken: ActionController::InvalidAuthenticityToken, ActionController::InvalidAuthenticityToken

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

omniauth-rails_csrf_protection (1.0.2) lib/omniauth/rails_csrf_protection/token_verifier.rb:38:in `_call'
omniauth-rails_csrf_protection (1.0.2) lib/omniauth/rails_csrf_protection/token_verifier.rb:31:in `call'
omniauth (2.1.2) lib/omniauth/strategy.rb:240:in `request_call'
omniauth (2.1.2) lib/omniauth/strategy.rb:193:in `call!'
omniauth (2.1.2) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.1.2) lib/omniauth/builder.rb:44:in `call'
rack (3.0.11) lib/rack/tempfile_reaper.rb:20:in `call'
rack (3.0.11) lib/rack/etag.rb:29:in `call'
rack (3.0.11) lib/rack/conditional_get.rb:43:in `call'
rack (3.0.11) lib/rack/head.rb:15:in `call'
actionpack (7.1.3.2) lib/action_dispatch/http/permissions_policy.rb:36:in `call'
actionpack (7.1.3.2) lib/action_dispatch/http/content_security_policy.rb:33:in `call'
rack-session (2.0.0) lib/rack/session/abstract/id.rb:272:in `context'
rack-session (2.0.0) lib/rack/session/abstract/id.rb:266:in `call'
actionpack (7.1.3.2) lib/action_dispatch/middleware/cookies.rb:689:in `call'
activerecord (7.1.3.2) lib/active_record/migration.rb:655:in `call'
actionpack (7.1.3.2) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
activesupport (7.1.3.2) lib/active_support/callbacks.rb:101:in `run_callbacks'
actionpack (7.1.3.2) lib/action_dispatch/middleware/callbacks.rb:28:in `call'
actionpack (7.1.3.2) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (7.1.3.2) lib/action_dispatch/middleware/actionable_exceptions.rb:16:in `call'
actionpack (7.1.3.2) lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call'
actionpack (7.1.3.2) lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
railties (7.1.3.2) lib/rails/rack/logger.rb:37:in `call_app'
railties (7.1.3.2) lib/rails/rack/logger.rb:24:in `block in call'
activesupport (7.1.3.2) lib/active_support/tagged_logging.rb:135:in `block in tagged'
activesupport (7.1.3.2) lib/active_support/tagged_logging.rb:39:in `tagged'
activesupport (7.1.3.2) lib/active_support/tagged_logging.rb:135:in `tagged'
activesupport (7.1.3.2) lib/active_support/broadcast_logger.rb:240:in `method_missing'
railties (7.1.3.2) lib/rails/rack/logger.rb:24:in `call'
sprockets-rails (3.4.2) lib/sprockets/rails/quiet_assets.rb:13:in `call'
actionpack (7.1.3.2) lib/action_dispatch/middleware/remote_ip.rb:92:in `call'
actionpack (7.1.3.2) lib/action_dispatch/middleware/request_id.rb:28:in `call'
rack (3.0.11) lib/rack/method_override.rb:28:in `call'
rack (3.0.11) lib/rack/runtime.rb:24:in `call'
activesupport (7.1.3.2) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
actionpack (7.1.3.2) lib/action_dispatch/middleware/server_timing.rb:59:in `block in call'
actionpack (7.1.3.2) lib/action_dispatch/middleware/server_timing.rb:24:in `collect_events'
actionpack (7.1.3.2) lib/action_dispatch/middleware/server_timing.rb:58:in `call'
actionpack (7.1.3.2) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (7.1.3.2) lib/action_dispatch/middleware/static.rb:25:in `call'
rack (3.0.11) lib/rack/sendfile.rb:114:in `call'
actionpack (7.1.3.2) lib/action_dispatch/middleware/host_authorization.rb:141:in `call'
railties (7.1.3.2) lib/rails/engine.rb:536:in `call'
puma (6.4.2) lib/puma/configuration.rb:272:in `call'
puma (6.4.2) lib/puma/request.rb:100:in `block in handle_request'
puma (6.4.2) lib/puma/thread_pool.rb:378:in `with_force_shutdown'
puma (6.4.2) lib/puma/request.rb:99:in `handle_request'
puma (6.4.2) lib/puma/server.rb:464:in `process_client'
puma (6.4.2) lib/puma/server.rb:245:in `block in run'
puma (6.4.2) lib/puma/thread_pool.rb:155:in `block in spawn_thread'
^C%

Any help appreciated. Getting really frustrated trying to work with Auth0’s omniauth.

carlastabile · June 21, 2024, 8:50am

Hey @daniel40392

I don’t have access to your repo, seems it’s private. Can you share how you’re making the post request from your Rails app?

You should make sure to use either link_to or button_to in your view together with the :post param like so:

<%= button_to 'Login', '/auth/auth0', method: :post, data: { turbo: false } %>

Also make sure to disable turbo o this particular request with data: { turbo: false } because one of the features of Turbo consists of converting links form submissions into AJAX requests, which is supposed to speed up your applications thanks to Turbo Drive. In this case you’ll want to disable Turbo for the buttons’ form, so it’s not an AJAX request. I’ve written more on this on this guide

Let me know if any of this helps, or if you can share some of your code that’d be helpful too!