Redmine

Howdy.

So I'm trying to use the REST API, and I keep hitting the CSRF protection. If I turn off config.action_controller.allow_forgery_protection it works. From what I read, there's the setting the request type to XML to make Rails not try this, but I'm fairly convinced I'm doing this already.

It's Redmine 1.2.0, running a top of unicorn/apache. My script is ruby, using the 'redmine_client' gem (which is just basically ActiveRecord, regrettably).

POST /issues.xml HTTP/1.1
Accept: */*
Connection: close
Content-Type: application/xml
Authorization: Basic JjvpehpewnvpewtHPHv3cjehpshhgthpHFHGHENVN2PKSNneissjrJJJtjeJFF=
Content-Length: 165
Host: redmine.example.org

<?xml version="1.0" encoding="UTF-8"?>
<issue>
  <project-id>17</project-id>
  <subject>testing REST</subject>
  <description>this is a test
</description>
</issue>
HTTP/1.1 500 Internal Server Error
Date: Thu, 11 Aug 2011 19:19:28 GMT
Status: 500 Internal Server Error
Content-Type: text/html; charset=utf-8
Content-Length: 674
Cache-Control: no-cache
Set-Cookie: _redmine_session=BAgopegenFBNIBEOBVENDMSMRbefjbjbgBFvnXWHFHWIFHzZXNzaW9uX2lkIiUwNThlNzE0OGRkZTA4ZjBhYTE1NzVkYjNiYmJhMDk1Yw%3D%3D--015a1e27fb494afb7343972eb17633a85fc16b79; path=/; HttpOnly
Vary: Accept-Encoding
Connection: close

The log returns me the following:

NoMethodError (undefined method `destroy' for {:_csrf_token=>"N/kda9BN5/l+4GNKRVzAJRYkvdsLplPyrOlHROhiOL0="}:Hash):
  unicorn (3.5.0) lib/unicorn/http_server.rb:531:in `process_client'
  unicorn (3.5.0) lib/unicorn/http_server.rb:606:in `worker_loop'

Which told me it's the CSRF.

Any pointers would be grand. Thank you!

--
ben