Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
10
Help us understand the problem. What is going on with this article?
@munaita_

Rails5系以上でInvalidAuthenticityTokenエラー

More than 1 year has passed since last update.

環境

  • サーバーRails5
  • フロントをReact/Angular
  • Railsのdeviseのsign_outリクエストをX-CSRF-Tokenのヘッダーを付けて実行したときに発生

エラー

Started DELETE "/api/v1/users/sign_out" for 127.0.0.1 at 2018-11-29 11:26:51 +0900
Processing by Users::SessionsController#destroy as JSON
  Parameters: {"session"=>{}}
  User Load (2.2ms)  SELECT  `users`.* FROM `users` WHERE `users`.`id` = 1 ORDER BY `users`.`id` ASC LIMIT 1
  ↳ /Users/xxx/.rbenv/versions/2.5.3/lib/ruby/gems/2.5.0/gems/activerecord-5.2.1/lib/active_record/log_subscriber.rb:98
HTTP Origin header (http://localhost:3001) didn't match request.base_url (http://localhost:3000)

解決方法

  • 開発環境なら config/environments/development.rbなんかにconfig.action_controller.forgery_protection_origin_check = falseの設定を追加
  • 本番環境であればnginxのリバースプロキシなどをごにょごにょ

エラー原因

  • Rails5系ではデフォルトで config.action_controller.forgery_protection_origin_check = true になっている
  • その場合、X-CSRF-Tokenヘッダーを付けたリクエストを送ると以下のチェックが走る
actionpack/lib/action_controller/metal/request_forgery_protection.rb#L398

      # Checks if the request originated from the same origin by looking at the
      # Origin header.
      def valid_request_origin?
        if forgery_protection_origin_check
          # We accept blank origin headers because some user agents don't send it.
          request.origin.nil? || request.origin == request.base_url
        else
          true
        end
      end

その他参考

10
Help us understand the problem. What is going on with this article?
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
munaita_
フリーランスのデータエンジニアです。 データ基盤構築や、ビッグデータを扱うシステム構築が得意です。 新卒サイバーエージェントからフリーランス。 広告/小売/教育など幅広いドメインのデータビジネスを経験しています。

Comments

No comments
Sign up for free and join this conversation.
Sign Up
If you already have a Qiita account Login
10
Help us understand the problem. What is going on with this article?