Rails / Doorkeeper: Can't verify CSRF token authenticity

3
votes

I'm using Rails 3.2 with Doorkeeper gem for providing OAuth 2 API for 3rd party. I keep getting this warning when using my REST API from outside of the app:

WARNING: Can't verify CSRF token authenticity

The client app successfully authenticated via OAuth2. Why do I get this warning, and how to implement this csrf properly for the external API?

2
ruby-on-railsoauth-2.0csrf
You shouldn't implement csrf for stateless APIs. It breaks the entire concept of stateless.Tom van der Woerdt
I haven't implemented csrf for the API, I'm just getting this warning from the Rails. Can I skip the csrf validity check for certain methods?Alexander Savin

2 Answers

5
votes

Remove protect_from_forgery from your ApplicationController (or remove it for calls to the API).

2
votes

Turn off CSRF protection only for the controller that you want open ... this is safer than removing protect_from_forgery from the ApplicationController. In this case I'm using the create action as an example ... though you can modify to suit your needs.

class MessagesController < ApplicationController
  protect_from_forgery with: :null_session, only: [:create]
  # doorkeeper_for :create
end

Uncomment the doorkeeper line if you are authentication via doorkeeper.

The point is to open up only what needs to be opened up ...