Having trouble with delete method csrf_token

23 views
Skip to first unread message

Cameron Gose

unread,
Mar 21, 2022, 12:43:22 AM3/21/22
to Roda
I'm having an issue when submitting a delete request and receiving a 400 error code. I am guessing it is the csrf token not matching the expected path or something like that. I removed the check_csrf! to verify, and am able to hit the delete route with check_csrf! removed. I am trying to delete at the path: "/todos/<%= todo.id%>"

So I am submitting the delete request with the following header
"X-CSRF-Token": "<%== csrf_token "/todos/#{todo.id}", "DELETE" %>

I'm guessing this is incorrect. Any pointers?

This is how I have the route setup.

hash_routes.on 'todos' do |r|
    set_view_subdir 'todos'
    r.on Integer do |id|
      @todo = Todo[id]
     
      r.get do
        # This is accessible
        return @todo.task
      end
     
      r.delete do
        # not accessible at all
        @todo.delete
        r.redirect("todos")
      end
    end
end

Jeremy Evans

unread,
Mar 21, 2022, 1:07:00 AM3/21/22
to ruby...@googlegroups.com
On Sun, Mar 20, 2022 at 9:43 PM Cameron Gose <cgos...@gmail.com> wrote:
I'm having an issue when submitting a delete request and receiving a 400 error code. I am guessing it is the csrf token not matching the expected path or something like that. I removed the check_csrf! to verify, and am able to hit the delete route with check_csrf! removed. I am trying to delete at the path: "/todos/<%= todo.id%>" 

So I am submitting the delete request with the following header
"X-CSRF-Token": "<%== csrf_token "/todos/#{todo.id}", "DELETE" %>

The route_csrf plugin :check_header option defaults to false.  Are you passing check_header: true or check_header: :only when loading the plugin?

Thanks,
Jeremy

Cameron Gose

unread,
Mar 21, 2022, 1:37:49 PM3/21/22
to Roda
Yep that was it. Just needed to add the option when loading the plugin

  plugin :route_csrf, check_header: true

Reply all
Reply to author
Forward
0 new messages