ActiveResource and InvalidAuthenticityToken exception

Hi,

I have a Rails 2.1.1 web app, and a Rails 2.1.1 app acting as a client
by using ActiveResource.

From the client, I can find, create, and update resources owned by the
web app.

However, I can not delete any. Calling the .destroy method in
ActiveResource generates a 422 from the web app.

Not sure why this would be the case, since I thought
protect_from_forgery only protects HTML and JS requests.

Any idea if this is a bug in ActiveResource that I should dig into, or
is this actually by design and I'm not understanding something about
how to achieve deletes via ActiveResource?

Thanks!
Jeff

Jeff Cohen wrote:

Hi,

I have a Rails 2.1.1 web app, and a Rails 2.1.1 app acting as a client
by using ActiveResource.

From the client, I can find, create, and update resources owned by the
web app.

However, I can not delete any. Calling the .destroy method in
ActiveResource generates a 422 from the web app.

Not sure why this would be the case, since I thought
protect_from_forgery only protects HTML and JS requests.

Any idea if this is a bug in ActiveResource that I should dig into, or
is this actually by design and I'm not understanding something about
how to achieve deletes via ActiveResource?

Thanks!
Jeff

Seeing the same thing, using edge on the client and an older snapshot of
edge on the server. Going to see if updating the server resolves the
issue tonight.

Check my answer on
http://stackoverflow.com/questions/150076/how-do-i-authenticate-to-activeresource-to-avoid-the-invalidauthenticitytoken-r#150194.
It is not a perfect solution but does provide a workaround.

Glad to know it's not just me. I suspect this is a bug somewhere.

Jeff

Mike Vincent wrote:

Jeff Cohen wrote:

Hi,

I have a Rails 2.1.1 web app, and a Rails 2.1.1 app acting as a client
by using ActiveResource.

From the client, I can find, create, and update resources owned by the
web app.

However, I can not delete any. Calling the .destroy method in
ActiveResource generates a 422 from the web app.

Not sure why this would be the case, since I thought
protect_from_forgery only protects HTML and JS requests.

Any idea if this is a bug in ActiveResource that I should dig into, or
is this actually by design and I'm not understanding something about
how to achieve deletes via ActiveResource?

Thanks!
Jeff

Seeing the same thing, using edge on the client and an older snapshot of
edge on the server. Going to see if updating the server resolves the
issue tonight.

Issue persists with latest edge on client/server. :frowning:

I see there's a ticket now, too.

http://rails.lighthouseapp.com/projects/8994/tickets/1145-bug-invalidauthenticitytoken-incorrectly-raised-for-xml-controllerdestroy-request