升级到rails 5后,我在尝试登录时收到无效的CSRF令牌错误

问题描述 投票:0回答:1

我正在使用设计进行身份验证,但是在我从rails 4升级到rails 5之后,即使CSRF令牌在请求中,我也无法登录。

这是我看到的服务器日志:


Started POST "/users/sign_in" for 127.0.0.1 at 2019-04-02 15:27:09 +1100
Processing by Users::SessionsController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"q3Ui2rNEIIuRcpNxpbhbIxYLWuYcfd4FxBzIHKgBvdFLUZ96gTIJSQ37kfziG82Vg77NHfdvEkIrThfG6ySpiQ==", "user"=>{"email"=>"xxx", "password"=>"[FILTERED]", "remember_me"=>"0"}}

  User Load (0.5ms)  SELECT  `users`.* FROM `users` WHERE `users`.`email` = 'xxx' ORDER BY `users`.`id` ASC LIMIT 1
   (0.2ms)  BEGIN
  SQL (0.3ms)  UPDATE `users` SET `current_sign_in_at` = '2019-04-02 03:46:49', `sign_in_count` = 16, `updated_at` = '2019-04-02 03:46:49' WHERE `users`.`id` = 2
   (2.2ms)  COMMIT
Can't verify CSRF token authenticity.
   (0.2ms)  BEGIN
   (0.1ms)  COMMIT
  User Load (0.3ms)  SELECT  `users`.* FROM `users` WHERE `users`.`email` = 'xxx' ORDER BY `users`.`id` ASC LIMIT 1
   (0.2ms)  BEGIN
  SQL (0.4ms)  UPDATE `users` SET `last_sign_in_at` = '2019-04-02 03:46:49', `sign_in_count` = 17 WHERE `users`.`id` = 2
   (0.3ms)  COMMIT

显然,当我跳过真实性令牌验证时,问题就会消失。

ruby-on-rails ruby-on-rails-5
1个回答
0
投票

在挖了一下之后我发现了这个this线程,特别是this

对于Rails 5,请注意protect_from_forgery不再被添加到before_action链中,因此如果您在authenticate_user之前设置了protect_from_forgery,则您的请求将导致“无法验证CSRF令牌的真实性”。要解决此问题,请更改调用它们的顺序,或使用protect_from_forgery prepend: true

所以问题解决了:)

(感谢Mark Merritt也指出了同样的问题)

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.