Re: CSRF protection with Rails

[rte...@gmail.com]

$httpProvider.defaults.headers.common['X-CSRF-Token'] = $('meta[name=csrf-token]').attr('content');

make sure you have <%= csrf_meta_tags %>

On Tuesday, July 3, 2012 3:34:53 PM UTC-4, Jakub Arnold wrote:

I've been having problems with $resource. The requests that it makes don't seem to be affected by the Rails patch to $.ajax, so they don't pass the CSRF protection, resulting in WARNING: Can't verify CSRF token authenticity error on every request.

Anyone encountered this?

[to...@codeable.io]

I know I'm a bit late to the party, but one more solution is (in case you have single page app) to remove the csrf snippet (in the layout) altoghether, and instead use:

<script>

  var csrf_token = "<%= form_authenticity_token %>";

</script>

And then configure $httpProvider:

app.config ["$httpProvider", (provider) ->

  provider.defaults.headers.common['X-CSRF-Token'] = csrf_token

]

On Wednesday, July 4, 2012 1:51:36 PM UTC+2, Jakub Arnold wrote:

It works perfectly, thanks. Just in case anyone else is wondering, you need to wrap the code in a config block to get the provider, such as

var module = angular.module('mypp', []);

module.config(["$httpProvider", function(provider) {

  provider.defaults.headers.common['X-CSRF-Token'] = $('meta[name=csrf-token]').attr('content');

}]);

[xrd]

If you want to use a gem for a little less typing you can use this:

https://github.com/xrd/ng-rails-csrf

[Kevin L]

xrd: The method involving $httpProvider worked for me but not the gem. Can it be potentially a bug with the gem in terms of working with Rails 4?  

On Rails 4, after making sure my  strong parameters rules made sense, I had with no luck overcoming this problem before attempting the $httpProvider method. 

[xrd]

Kevin,

Could you perhaps create a public sample project on GitHub and send me the link? I can pull it and see whether I can troubleshoot your issue.

Chris

[Chris Bolton]

gem also isn't working for me in rails 4

[Chris Bolton]

actually sorry, correction: it works, but messes up my normal forms for some reason. I didn't look too far into it and just put the $httpProvider statement in the config block myself.

--
You received this message because you are subscribed to a topic in the Google Groups "AngularJS" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/angular/v6cEdI2Bv24/unsubscribe?hl=en-US.
To unsubscribe from this group and all its topics, send an email to angular+u...@googlegroups.com.
To post to this group, send email to ang...@googlegroups.com.
Visit this group at http://groups.google.com/group/angular?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[xrd]

I will look into this next week. Support was added for turbo links and I wonder if that is breaking your forms.

[xrd]

I just tested with my sample project:

https://github.com/xrd/ng-rails-csrf

This has a branch called rails4. I did not see any issues with this and the current version of the gem.

Can you check this out, use the rails4 branch, and see what the delta is between your service and this sample project?

Chris

[xrd]

Oops:

https://github.com/xrd/ng-rails-csrf-sample

Chris

[James Sanders]

Hey I know this thread is pretty old, but here's a gem that is a purely server-side solution based on the scheme described in the $http documentation in the "Cross Site Request Forgery (XSRF) Protection" section: https://github.com/jsanders/angular_rails_csrf. It doesn't require `csrf_meta_tags` or any changes to your angular app.

-James