Thursday, September 15, 2011

Rails 3.1 CSRF token authenticity for JSON Content Type


When designing a REST API for one of my resources, I am getting a warning message like this:

> WARNING: Can't verify CSRF token authenticity


in the logs. This should NOT be happening, as I am accessing my resource using a JSON API through a POST request. The following rails file:

rails/actionpack/lib/action_controller/metal/request_forgery_protection.rb

clearly states

"Only HTML and JavaScript requests are checked, so this will not protect your XML API (presuably you'll have a different authentication scheme there anyway). Also, GET requests are not protected as these should be idempotent."

In addition to this message in the logs, the rails code also "resets" my non-existant session. Doing a little digging shows a problem in this function:

Where there is no check on the content type. By the way, you can easily set the content type of your request in a CURL request like this:
> curl -H "Content-Type: application/json" -d '{"email":abc@xyz.com", "password":"xyzc123"}' http://localhost:3000/sessions.json -i
Comparing the same code to Rails 3.0:


def verified_request?
        !protect_against_forgery? || request.forgery_whitelisted? ||
          form_authenticity_token == params[request_forgery_protection_token]
end
I see the additional check "request.forgery_whitelisted" which ends up checking for "JSON" and "XML" content types and returns true. I plan to submit a bug and in the mean time, you can work around by overriding

in your controller or application controller. Good luck!


3 comments:

  1. Doesn't this open your API up to CSRF attacks for application/json requests?

    ReplyDelete
  2. Casino Finder - JamBase
    Find the best Casino Finder for you! Find 제주도 출장샵 over 충주 출장마사지 200+ casinos, 구미 출장마사지 games, coupons & more powered by JT Gaming 삼척 출장마사지 here at JamBase. 영주 출장마사지 Make your casino trip

    ReplyDelete
  3. The Best Casinos in USA - APRCasino
    It is one sol.edu.kg of the most well-known casino aprcasino casinos, and it is owned and operated by septcasino.com the Rincon Band of Luiseno Indians. ventureberg.com/ There are over 100 different

    ReplyDelete