Ad

Why Does A POST Request, Properly Routed, Throw An "ActionController::InvalidAuthenticityToken" Error In Rails And The Shopify_app Gem

I am getting the following error when making a post request to /locations/1/submit-to-shopify in my app:

ActionController::InvalidAuthenticityToken in LocationsController#submitshopify

You can see the post route in my routes.rb file below.

  root 'home#index'

  controller :sessions do
    get 'login' => :new, :as => :login
    post 'login' => :create, :as => :authenticate
    get 'auth/shopify/callback' => :callback
    get 'logout' => :destroy, :as => :logout
    get 'locations/:id' => 'locations#index'
    post 'locations/:id/submit-to-shopify' => 'locations#submitshopify'
  end

All the other requests work fine. Here is my Locations controller:

class LocationsController < AuthenticatedController
  def index
    @location_id = params[:id]
    @location = Location.find(@location_id)
  end
  def submitshopify
    @location_id = params[:id]
    @location = Location.find(@location_id)
    @product_handle = params[:product_handle]
    @product = ShopifyAPI::Product.find_by handle: @product_handle
  end
  def new
  end
  def create
  end
  def show
  end
  def edit
  end
  def update
  end
  def destroy
    @location_id = params[:id]
    @location = Location.find(@location_id)
    @destroy_status = @location.destroy
  end
end

If it is of any consequence, I am using the 'shopify_app' gem, which includes 'shopify_api'. I followed all the directions listed for both of those modules, and have successfully authenticated with Shopify in all of the other pages / controllers.

Ad

Answer

Have you used helpers to create your submission form?

or have you created it manually? If created manually, have you added the

<%= csrf_meta_tags %> 

to your form?

check with your firebug if there is an authentication token at the end of the form. Even the view source should show you that.

We should be discarding that anyone is trying to spam using your form by means of a http client like curl without actually being on your site (cross site request forgery)

Ad
source: stackoverflow.com
Ad