Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Rails: Disable CSRF for a 3rd party POST Request

Tags:

ruby-on-rails

http-post

heroku

csrf

I have a Rails 3.2 App where I need to accept POST requests from a 3rd party. I want to store the incoming requests in my 'message' model. My MessageController looks as follows:

class MessagesController < ApplicationController
  protect_from_forgery :except => :create
...

def create
@message = Message.new(content: params[:content], command: params[:command], messageId: params[:messageId], ...)

respond_to do |format|
  if @message.save
...

The requests I'm receiving look like this:

curl -d "content=GUESTTEST&command=deliverMessage&messageId=11389622" https://[myapp].herokuapp.com/messages

This works fine locally (http://localhost:3000/messages) but as soon as I switch to heroku, the requests don't work anymore.

heroku logs

says:

    2012-08-13T07:54:01+00:00 app[web.1]: Started POST "/" for 178.195.215.59 at 2012-08-13 07:54:01 +0000
    2012-08-13T07:54:01+00:00 app[web.1]: Processing by StaticPagesController#home as */*
    2012-08-13T07:54:01+00:00 app[web.1]:   Parameters: {"content"=>"GUESTTEST", "time"=>"2012-08-01 10:09:03", "businessNumber"=>"5555", "sessionId"=>"5555CHS1343808543654", "operatorCode"=>"99999", "msisdn"=>"0099955291", "keyword"=>"GUESTTEST", "command"=>"deliverMessage", "messageId"=>"11389622"}
    2012-08-13T07:54:01+00:00 app[web.1]: WARNING: Can't verify CSRF token authenticity
    2012-08-13T07:54:01+00:00 app[web.1]:   Rendered static_pages/home.html.erb within layouts/application (1.1ms)
    2012-08-13T07:54:01+00:00 app[web.1]:   Rendered layouts/_shim.html.erb (0.0ms)
    2012-08-13T07:54:01+00:00 app[web.1]:   Rendered layouts/_header.html.erb (0.9ms)
    2012-08-13T07:54:01+00:00 app[web.1]:   Rendered layouts/_footer.html.erb (0.2ms)
    2012-08-13T07:54:01+00:00 app[web.1]: Completed 200 OK in 6ms (Views: 5.6ms | ActiveRecord: 0.0ms)
    2012-08-13T07:54:01+00:00 heroku[router]: POST guestlist12.herokuapp.com/ dyno=web.1 queue=0 wait=0ms service=72ms status=200 bytes=2425

What do I need to change to allow the posts to work without the CSRF token?

Any help is much appreciated!

like image 989
tomburger Avatar asked Jan 25 '26 12:01

tomburger

1 Answers

Summarizing the answer from the comments in order to remove this question from the "Unanswered" filter:

[Remove] protect_from_forgery [from the] application controller.

~ answer per Amol Pujari

like image 63
DreadPirateShawn Avatar answered Jan 28 '26 07:01

DreadPirateShawn
Sign in to Comment

Related questions

What is the easiest way to find where a part of html is defined in the Rails partials and layouts?
Check content of attributes using rspec+webrat
Ruby/Rails, ActiveRecord uniqueness validation and activerecord-import gem
Rails: strong_params and getter/setter methods

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!