Defect #15424

Filter chain halted as :verify_authenticity_token rendered or redirected

Added by Marco Descher almost 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:
Priority:HighDue date:
Assignee:-% Done:

0%

Category:REST API
Target version:-
Resolution:Duplicate Affected version:2.4.0

Description

When executing a post request to creat a User using a Java Jersey client and the API access key, I get the following error:

Started POST "/users.xml?key=984434......." for 194.208.16.210 at 2013-11-21 10:01:43 +0100
Processing by UsersController#create as XML
  Parameters: {"user"=>{"id"=>"0", "login"=>"jdoe", "firstname"=>"John", "lastname"=>"Doe", "mail"=>"john@doe.at", "password"=>"[FILTERED]", "created_on"=>"2013-11-21T10:01:43.650+01:00"}, "key"=>"984434......."}
WARNING: Can't verify CSRF token authenticity
API calls must include a proper Content-type header (application/xml or application/json).
Filter chain halted as :verify_authenticity_token rendered or redirected
Completed 422 Unprocessable Entity in 0.4ms (ActiveRecord: 0.0ms)

I do not find a way to get the resp. Token via REST, is there even one provided?

According to http://stackoverflow.com/questions/10167956/rails-shows-warning-cant-verify-csrf-token-authenticity-from-a-restkit-post it would be safe to remove :verify_authenticity_token for calls coming via API.

output.png - Http4E Paket (145 KB) Marco Descher, 2013-11-21 11:29


Related issues

Related to Redmine - Defect #10780: Logout by using POST REST API Needs feedback
Duplicates Redmine - Defect #15427: REST API POST and PUT broken Closed

History

#1 Updated by Marco Descher almost 4 years ago

I tried several approaches, enclosed you see the direct packet post request, and here the according log output

Started POST "/users.xml?key=98432342...." for 194.208.16.210 at 2013-11-21 11:24:30 +0100
Processing by UsersController#create as XML
  Parameters: {"user"=>{"login"=>"jplang", "firstname"=>"Jean-Philippe", "lastname"=>"Lang", "password"=>"[FILTERED]", "mail"=>"jp_lang@yahoo.fr"}, "key"=>"98432342"}
WARNING: Can't verify CSRF token authenticity
API calls must include a proper Content-type header (application/xml or application/json).
Filter chain halted as :verify_authenticity_token rendered or redirected
Completed 422 Unprocessable Entity in 0.4ms (ActiveRecord: 0.0ms)

#2 Updated by Marco Descher almost 4 years ago

2.3.3 works - output delivers a reason

Started POST "/users.xml?key=dsdfsd" for 194.208.16.210 at 2013-11-21 11:43:34 +0100
Processing by UsersController#create as XML
  Parameters: {"user"=>{"login"=>"jplang", "firstname"=>"Jean-Philippe", "lastname"=>"Lang", "password"=>"[FILTERED]", "mail"=>"jp_lang@yahoo.fr"}, "key"=>"dsdsd"}
WARNING: Can't verify CSRF token authenticity
  Current user: wfeconnector (id=4)
  Rendered common/error_messages.api.rsb (0.4ms)
Completed 422 Unprocessable Entity in 34ms (Views: 2.5ms | ActiveRecord: 2.1ms)

HTTP Response

HTTP/1.1 422 Unprocessable Entity
Date: Thu, 21 Nov 2013 10:43:34 GMT
Server: Apache/2.2.22 (Debian)
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: no-cache
X-Request-Id: 485987ed29c474535edc40ed6da973f3
X-Runtime: 0.039722
X-Rack-Cache: invalidate, pass
X-Powered-By: Phusion Passenger 4.0.18
Set-Cookie: _redmine_session=BAh7BkkiD3Nlc3Npb25faWQGOgZFRkkiJTY0ZTgyYjYwNjNiZjk5YmI1MTQzOTIxODYxOTcyMjEyBjsAVA%3D%3D--efbe3629d7071d5e7edffd65a5530dadc44c6343; path=/; HttpOnly
Set-Cookie: autologin=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Status: 422 Unprocessable Entity
Transfer-Encoding: chunked
Content-Type: application/xml; charset=utf-8

<?xml version="1.0" encoding="UTF-8"?><errors type="array"><error>Kennwort ist zu kurz (nicht weniger als 8 Zeichen)</error></errors>

#3 Updated by Marco Descher almost 4 years ago

I tried this. The call works flawlessly on 2.3.3, it however fails on 2.4.0!

Please check REST API POST access in 2.4.0!

#4 Updated by Jean-Philippe Lang almost 4 years ago

  • Status changed from New to Closed
  • Resolution set to Duplicate

Fixed in 2.4.1 that will be released tomorrow, see #15427.

#5 Updated by Jean-Philippe Lang almost 4 years ago

#6 Updated by Mischa The Evil over 2 years ago

Also available in: Atom PDF