Hello, I’m just starting out with Rails. I’ve been using Ruby Mine and it’s been working well. I can run my server, connect to it, sign in, and upload photos. I’ve uploaded all the project files to GitHub. I tried running the project on GitHub Codespaces but I haven’t been successful. I can access the enpoint /users/sign_in alright but when I try to sign in or sign up I get some errors on the terminal. I’m using Devise. These are some of the errors that are printer onto the server terminal: Started GET “/users/sign_up” for 10.240.2.146 at 2023-10-26 23:49:12 +0000 Cannot render console from 10.240.2.146! Allowed networks: 10.240.0.10, 127.0.0.0/127.255.255.255, ::1

HTTP Origin header (https://localhost:3000) didn’t match request.base_url (https://cautious-space-acorn-x5jx45946ggfr6j-3000.app.github.dev) Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms | Allocations: 868) ActionController::InvalidAuthenticityToken (HTTP Origin header (https://localhost:3000) didn’t match request.base_url (https://cautious-space-acorn-x5jx45946ggfr6j-3000.app.github.dev)):

I’ve beein trying to fix it for a couple of days using bing Ai but didn’t get anywhere. I’ve added this code inside of /config/environments/development.rb: require “active_support/core_ext/integer/time” Rails.application.configure do config.hosts << “cautious-space-acorn-x5jx45946ggfr6j-3000.app.github.dev” config.web_console.whitelisted_ips = ‘10.240.0.10’

This is my user model: class User < ApplicationRecord

Include default devise modules. Others available are:

:confirmable, :lockable, :timeoutable, :trackable and :omniauthable

devise :database_authenticatable, :registerable, :recoverable, :rememberable, :validatable has_many :photos has_many :comments end

This is my GitHub repo if it is important: GitHub - patrickfeeney03/PhotoApp: Rails app that allows users to publish photos online.

I may be missing so much info from this, if I am please ask for it. I’m just starting out. Thanks in advance, Cheers, Patrick.

Hi Patrik. I had the same issue in Codespaces. I make a little turnaround.

In the Controller, let’s say Post at the beginning I put:

if Rails.env.development? skip_before_action :verify_authenticity_token end

That skip the Token Authenticity in development but it doesn’t affect your app in production. Hope it helps you or another developer

@antoniolulee skipping :verify_authenticity_token resolves the issue, but it again a security issue right?, how we can verify the authenticity of a request in development mode?

I don’t think is a security issue on dev environment. But the solution is make a proper config on codespaces or rails app. What I say is a turnaround maybe in few months we can see more info in codespaces documentation. If you wanna solve it you can execute the app in your local computer and you will not have the Authentication Controller Token issue

Thank you for your answer Antonio.

Yo alsow can put the code in application.controller.rb

class ApplicationController < ActionController::Base if Rails.env.development? skip_before_action :verify_authenticity_token end end

To avoid use it in every controller you have

I ran into the same problem. Fixed by using the “preview” URL instead. In your case, try adding “.preview” to the URL like so:

https://cautious-space-acorn-x5jx45946ggfr6j-3000.preview.app.github.dev

(instead of “https://cautious-space-acorn-x5jx45946ggfr6j-3000.app.github.dev”)

Hmm, thanks for that suggestion; it didn’t work for me. The .preview version of the URL tries to redirect me to a /signin?cid=asdfl;kjas;dflkjasdl;fkj version of the URL, and then gives me a “The page isn’t redirecting properly” error in the browser.

Has anyone made any headway on a solution to this issue? I’m still having this problem trying to get my Rails app running in my codespace.

The way they rewrite the Origin header is completely broken. I wrote GitHub support about it a year or so ago, and after much back and forth they basically let me know that their engineering team responded with “won’t fix”. I wish they would at least document the strange way they are corrupting their proxied headers. Because I spent days of debugging on it, and I’m sure I’m not the only one.

Inserting “preview” back into the URL used to (mostly) fix it for me, but I think they may have changed something with that config some time in the last few months and it didn’t work for me today (I haven’t worked with this app in several months, so I don’t know when it changed).

Anyway, assuming GitHub never fixes their Origin header proxying, and assuming you aren’t switching from CodeSpaces to a competitor that correctly implements standards-compliant HTTP forwarding, here are my top two workarounds:

• If you can work with localhost:3000 instead, then you can port forward that via the CLI or VS Code. That works for most of what I do.
• Disable the CSRF protection Origin header check when you’re in a codespace. This is the simplest approach, IMO. I’ve added something like the following to my development.rb:

  if ENV["GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN"] == "app.github.dev"
    warn "WARNING: (development) Disabling CSRF protection Origin header check!"
    config.action_controller.forgery_protection_origin_check = false
  end
  

• If certain features won’t work (or can’t be adequately tested) with localhost:3000, then you might consider adding development-mode workarounds so you can work on other parts of the app via localhost:3000, so you only need to deal with the hassle of their HTTP proxy when you are specifically working on the features that require a public hostname. For example, if your app has an OAuth2 integration that won’t allow you to register callbacks to localhost:3000, then make sure you have the ability to sign in and test other parts of the code without that OAuth2 integration.
• Run your own HTTPS proxy and/or port forwarding to a different hostname, and bypass their proxy entirely. Something like ngrok should work.