Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fallback: :none option allows no authenticated users interact with controller #252

Closed
aligit opened this issue May 24, 2016 · 4 comments
Closed

fallback: :none option allows no authenticated users interact with controller #252

aligit opened this issue May 24, 2016 · 4 comments
Labels
duplicate

Comments

@aligit
Copy link

aligit commented May 24, 2016
edited
Loading

Hi ,
The only way I can post form data for an authenticated user within ajax request and avoid

Can't verify CSRF token authenticity

error, is to use fallback: :none like so:

acts_as_token_authentication_handler_for User, fallback: :none

However, this will make the gem useless and any client can send post request to the restricted controller.

If I remove fallback: :none, then ajax client will receive 401 error.

Both front-end and rails API run on the same domain but on different ports.

Is this a security issue and if not how could I enable post request to my angular http request? Maybe should I add csrf in the header on the client-side?
@gonzalo-bulnes
Copy link
Owner

Hello @aligit,

The only way I can post form data for an authenticated user within ajax request [...] is to use fallback: :none [...]

That seems to be an authorization issue (not an authentication issue). If you expect access to be denied to unauthenticated users, see #154.

If the users of your webapp are also authenticated using cookies, then keeping the CSRF protection enabled and sending authenticity tokens with your AJAX calls seems to be a good option. See #37 and #49 for details about the authenticity tokens (a.k.a CSRF protection) and why they should be used when authentication cookies are available.

Please see also Asking for help for details about the information that is relevant to troubleshoot your Simple Token Authentication setup if that's necessary.

@aligit
Copy link
Author

aligit commented May 24, 2016
edited
Loading

Hi @gonzalo-bulnes,
Thanks for your reply. I don't use the cookie strategy.As proposed in #154, I added that require_authentication helper in the controller. This seems to work only from a curl. But if I send it through ajax post request from my angular $http request I will still get 401 error.

Here is my main controller:

class ApplicationController < ActionController::API
  protect_from_forgery with: :null_session

And the concerned controller:

class AdsController < ApplicationController
  acts_as_token_authentication_handler_for User, fallback: :none  
  before_action :require_authentication!
  # acts_as_token_authentication_handler_for User
  # before_action :authenticate_user!

@aligit
Copy link
Author

aligit commented May 24, 2016

Thank you so much @gonzalo-bulnes. The problem is resolved. The problem was coming from missing email and token in header.

@gonzalo-bulnes
Copy link
Owner

Hi @aligit,

Great! I hope that the docs/wiki helped : )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aligit @gonzalo-bulnes