Having trouble with delete method csrf_token

[Cameron Gose]

I'm having an issue when submitting a delete request and receiving a 400 error code. I am guessing it is the csrf token not matching the expected path or something like that. I removed the check_csrf! to verify, and am able to hit the delete route with check_csrf! removed. I am trying to delete at the path: "/todos/<%= todo.id%>"

So I am submitting the delete request with the following header

"X-CSRF-Token": "<%== csrf_token "/todos/#{todo.id}", "DELETE" %>

I'm guessing this is incorrect. Any pointers?

This is how I have the route setup.

hash_routes.on 'todos' do |r|
    set_view_subdir 'todos'
    r.on Integer do |id|
      @todo = Todo[id]
     
      r.get do
        # This is accessible
        return @todo.task
      end
     
      r.delete do
        # not accessible at all
        @todo.delete
        r.redirect("todos")
      end
    end

end

[Jeremy Evans]

On Sun, Mar 20, 2022 at 9:43 PM Cameron Gose <cgos...@gmail.com> wrote:

I'm having an issue when submitting a delete request and receiving a 400 error code. I am guessing it is the csrf token not matching the expected path or something like that. I removed the check_csrf! to verify, and am able to hit the delete route with check_csrf! removed. I am trying to delete at the path: "/todos/<%= todo.id%>" 

So I am submitting the delete request with the following header

"X-CSRF-Token": "<%== csrf_token "/todos/#{todo.id}", "DELETE" %>

The route_csrf plugin :check_header option defaults to false.  Are you passing check_header: true or check_header: :only when loading the plugin?

Thanks,

Jeremy

[Cameron Gose]

Yep that was it. Just needed to add the option when loading the plugin

  plugin :route_csrf, check_header: true