{"id":164,"date":"2020-01-20T20:45:38","date_gmt":"2020-01-20T19:45:38","guid":{"rendered":"http:\/\/www.underealm.com\/tech\/?p=164"},"modified":"2020-01-20T20:51:31","modified_gmt":"2020-01-20T19:51:31","slug":"invalidauthenticitytoken-and-you","status":"publish","type":"post","link":"https:\/\/www.underealm.com\/tech\/2020\/01\/invalidauthenticitytoken-and-you\/","title":{"rendered":"InvalidAuthenticityToken and you"},"content":{"rendered":"\n<p>While testing logins on my Rails app, I&#8217;ve started hitting a lot of <code>InvalidAuthenticityToken<\/code> errors which were quite bothering\u2026<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p> ActionController::InvalidAuthenticityToken in DeviseInvitable::RegistrationsController#create <\/p><\/blockquote>\n\n\n\n<p>Every endpoint I tried resulted in the <abbr title=\"InvalidAuthenticityToken\">IAT<\/abbr> error, and <a href=\"https:\/\/stackoverflow.com\/a\/19819589\">everywhere I looked<\/a> were <a href=\"https:\/\/stackoverflow.com\/a\/20875842\">horrible answers<\/a> such as &#8220;disable security for this method&#8221;, &#8220;disable security for that method&#8221;, so on and so forth. In between the plethora of suggested exploitation vectors, I&#8217;ve found an <a href=\"https:\/\/stackoverflow.com\/questions\/54374158\/how-to-fix-actioncontrollerinvalidauthenticitytoken-error-in-rails#comment95564539_54374158\"><em>incorrect<\/em> answer on StackOverflow<\/a>, that lead me to the <a href=\"https:\/\/stackoverflow.com\/a\/58872429\">true gold<\/a>.<\/p>\n\n\n\n<p>Chances are that if you&#8217;re using Rails 6 with Devise, most of the configurations are correct and safe by default, which probably means that just like me you&#8217;re using a reverse proxy for caching and SSL wrapping. As it turns out, without the proper additional parameters forwarded by Nginx, Rails will return <abbr title=\"InvalidAuthenticityToken\">IAT<\/abbr> every single time even when all parameters are set. Your tipical configuration:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>proxy_set_header Host $host;\nproxy_set_header X-Real-IP $remote_addr;\nproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\nproxy_pass http&lt;s>:\/\/&lt;ip>:&lt;port>$request_uri;<\/code><\/pre>\n\n\n\n<p>How it should look:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>proxy_set_header Host $host;\nproxy_set_header X-Real-IP $remote_addr;\nproxy_set_header X-Forwarded-Ssl on;\nproxy_set_header X-Forwarded-Host $host;\nproxy_set_header X-Forwarded-Port 443;\nproxy_set_header X-Forwarded-Proto https;\nproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\nproxy_pass http&lt;s>:\/\/&lt;ip>:&lt;port>$request_uri;<\/code><\/pre>\n\n\n\n<p>With the addition of the <code>-Ssl<\/code>, <code>-Host<\/code>, <code>-Port<\/code> and <code>-Proto<\/code> parameters everything works correctly.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>While testing logins on my Rails app, I&#8217;ve started hitting a lot of InvalidAuthenticityToken errors which were quite bothering\u2026 ActionController::InvalidAuthenticityToken in DeviseInvitable::RegistrationsController#create Every endpoint I tried resulted in the IAT error, and everywhere I looked were horrible answers such as &#8220;disable security for this method&#8221;, &#8220;disable security for that method&#8221;, so on and so forth. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[93,91,94,88,87],"class_list":["post-164","post","type-post","status-publish","format-standard","hentry","category-antifud","tag-actioncontroller","tag-devise","tag-invalidauthenticitytoken","tag-rails","tag-ruby"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts\/164"}],"collection":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/comments?post=164"}],"version-history":[{"count":4,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts\/164\/revisions"}],"predecessor-version":[{"id":168,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts\/164\/revisions\/168"}],"wp:attachment":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/media?parent=164"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/categories?post=164"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/tags?post=164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}