Project

General

Profile

Actions

Defect #15424

closed

Filter chain halted as :verify_authenticity_token rendered or redirected

Added by Marco Descher over 10 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
High
Assignee:
-
Category:
REST API
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Duplicate
Affected version:

Description

When executing a post request to creat a User using a Java Jersey client and the API access key, I get the following error:

Started POST "/users.xml?key=984434......." for 194.208.16.210 at 2013-11-21 10:01:43 +0100
Processing by UsersController#create as XML
  Parameters: {"user"=>{"id"=>"0", "login"=>"jdoe", "firstname"=>"John", "lastname"=>"Doe", "mail"=>"john@doe.at", "password"=>"[FILTERED]", "created_on"=>"2013-11-21T10:01:43.650+01:00"}, "key"=>"984434......."}
WARNING: Can't verify CSRF token authenticity
API calls must include a proper Content-type header (application/xml or application/json).
Filter chain halted as :verify_authenticity_token rendered or redirected
Completed 422 Unprocessable Entity in 0.4ms (ActiveRecord: 0.0ms)

I do not find a way to get the resp. Token via REST, is there even one provided?

According to http://stackoverflow.com/questions/10167956/rails-shows-warning-cant-verify-csrf-token-authenticity-from-a-restkit-post it would be safe to remove :verify_authenticity_token for calls coming via API.


Files

output.png (145 KB) output.png Http4E Paket Marco Descher, 2013-11-21 11:29

Related issues

Related to Redmine - Defect #10780: Logout by using POST REST APINeeds feedback

Actions
Is duplicate of Redmine - Defect #15427: REST API POST and PUT brokenClosedJean-Philippe Lang

Actions
Actions #1

Updated by Marco Descher over 10 years ago

I tried several approaches, enclosed you see the direct packet post request, and here the according log output

Started POST "/users.xml?key=98432342...." for 194.208.16.210 at 2013-11-21 11:24:30 +0100
Processing by UsersController#create as XML
  Parameters: {"user"=>{"login"=>"jplang", "firstname"=>"Jean-Philippe", "lastname"=>"Lang", "password"=>"[FILTERED]", "mail"=>"jp_lang@yahoo.fr"}, "key"=>"98432342"}
WARNING: Can't verify CSRF token authenticity
API calls must include a proper Content-type header (application/xml or application/json).
Filter chain halted as :verify_authenticity_token rendered or redirected
Completed 422 Unprocessable Entity in 0.4ms (ActiveRecord: 0.0ms)

Actions #2

Updated by Marco Descher over 10 years ago

2.3.3 works - output delivers a reason

Started POST "/users.xml?key=dsdfsd" for 194.208.16.210 at 2013-11-21 11:43:34 +0100
Processing by UsersController#create as XML
  Parameters: {"user"=>{"login"=>"jplang", "firstname"=>"Jean-Philippe", "lastname"=>"Lang", "password"=>"[FILTERED]", "mail"=>"jp_lang@yahoo.fr"}, "key"=>"dsdsd"}
WARNING: Can't verify CSRF token authenticity
  Current user: wfeconnector (id=4)
  Rendered common/error_messages.api.rsb (0.4ms)
Completed 422 Unprocessable Entity in 34ms (Views: 2.5ms | ActiveRecord: 2.1ms)

HTTP Response

HTTP/1.1 422 Unprocessable Entity
Date: Thu, 21 Nov 2013 10:43:34 GMT
Server: Apache/2.2.22 (Debian)
X-UA-Compatible: IE=Edge,chrome=1
Cache-Control: no-cache
X-Request-Id: 485987ed29c474535edc40ed6da973f3
X-Runtime: 0.039722
X-Rack-Cache: invalidate, pass
X-Powered-By: Phusion Passenger 4.0.18
Set-Cookie: _redmine_session=BAh7BkkiD3Nlc3Npb25faWQGOgZFRkkiJTY0ZTgyYjYwNjNiZjk5YmI1MTQzOTIxODYxOTcyMjEyBjsAVA%3D%3D--efbe3629d7071d5e7edffd65a5530dadc44c6343; path=/; HttpOnly
Set-Cookie: autologin=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Status: 422 Unprocessable Entity
Transfer-Encoding: chunked
Content-Type: application/xml; charset=utf-8

<?xml version="1.0" encoding="UTF-8"?><errors type="array"><error>Kennwort ist zu kurz (nicht weniger als 8 Zeichen)</error></errors>

Actions #3

Updated by Marco Descher over 10 years ago

I tried this. The call works flawlessly on 2.3.3, it however fails on 2.4.0!

Please check REST API POST access in 2.4.0!

Actions #4

Updated by Jean-Philippe Lang over 10 years ago

  • Status changed from New to Closed
  • Resolution set to Duplicate

Fixed in 2.4.1 that will be released tomorrow, see #15427.

Actions #5

Updated by Jean-Philippe Lang over 10 years ago

  • Is duplicate of Defect #15427: REST API POST and PUT broken added
Actions #6

Updated by Mischa The Evil about 9 years ago

Actions

Also available in: Atom PDF