ActiveResource and InvalidAuthenticityToken exception

rubyonrails-talk
1

Hi,

I have a Rails 2.1.1 web app, and a Rails 2.1.1 app acting as a client by using ActiveResource.

From the client, I can find, create, and update resources owned by the web app.

However, I can not delete any. Calling the .destroy method in ActiveResource generates a 422 from the web app.

Not sure why this would be the case, since I thought protect_from_forgery only protects HTML and JS requests.

Any idea if this is a bug in ActiveResource that I should dig into, or is this actually by design and I'm not understanding something about how to achieve deletes via ActiveResource?

Thanks! Jeff

2

Jeff Cohen wrote:

Hi,

I have a Rails 2.1.1 web app, and a Rails 2.1.1 app acting as a client by using ActiveResource.

From the client, I can find, create, and update resources owned by the web app.

However, I can not delete any. Calling the .destroy method in ActiveResource generates a 422 from the web app.

Not sure why this would be the case, since I thought protect_from_forgery only protects HTML and JS requests.

Any idea if this is a bug in ActiveResource that I should dig into, or is this actually by design and I'm not understanding something about how to achieve deletes via ActiveResource?

Thanks! Jeff

Seeing the same thing, using edge on the client and an older snapshot of edge on the server. Going to see if updating the server resolves the issue tonight.

3

Check my answer on ruby on rails - How Do I Authenticate to ActiveResource to Avoid the InvalidAuthenticityToken Response? - Stack Overflow. It is not a perfect solution but does provide a workaround.

4

Glad to know it's not just me. I suspect this is a bug somewhere.

Jeff

5

Mike Vincent wrote:

Jeff Cohen wrote:

Hi,

I have a Rails 2.1.1 web app, and a Rails 2.1.1 app acting as a client by using ActiveResource.

From the client, I can find, create, and update resources owned by the web app.

However, I can not delete any. Calling the .destroy method in ActiveResource generates a 422 from the web app.

Not sure why this would be the case, since I thought protect_from_forgery only protects HTML and JS requests.

Any idea if this is a bug in ActiveResource that I should dig into, or is this actually by design and I'm not understanding something about how to achieve deletes via ActiveResource?

Thanks! Jeff

Seeing the same thing, using edge on the client and an older snapshot of edge on the server. Going to see if updating the server resolves the issue tonight.

Issue persists with latest edge on client/server. :frowning:

I see there's a ticket now, too.

http://rails.lighthouseapp.com/projects/8994/tickets/1145-bug-invalidauthenticitytoken-incorrectly-raised-for-xml-controllerdestroy-request