Help us understand the problem. What is going on with this article?

Rails5系以上でInvalidAuthenticityTokenエラー

More than 1 year has passed since last update.

環境

  • サーバーRails5
  • フロントをReact/Angular
  • Railsのdeviseのsign_outリクエストをX-CSRF-Tokenのヘッダーを付けて実行したときに発生

エラー

Started DELETE "/api/v1/users/sign_out" for 127.0.0.1 at 2018-11-29 11:26:51 +0900
Processing by Users::SessionsController#destroy as JSON
  Parameters: {"session"=>{}}
  User Load (2.2ms)  SELECT  `users`.* FROM `users` WHERE `users`.`id` = 1 ORDER BY `users`.`id` ASC LIMIT 1
  ↳ /Users/xxx/.rbenv/versions/2.5.3/lib/ruby/gems/2.5.0/gems/activerecord-5.2.1/lib/active_record/log_subscriber.rb:98
HTTP Origin header (http://localhost:3001) didn't match request.base_url (http://localhost:3000)

解決方法

  • 開発環境なら config/environments/development.rbなんかにconfig.action_controller.forgery_protection_origin_check = falseの設定を追加
  • 本番環境であればnginxのリバースプロキシなどをごにょごにょ

エラー原因

  • Rails5系ではデフォルトで config.action_controller.forgery_protection_origin_check = true になっている
  • その場合、X-CSRF-Tokenヘッダーを付けたリクエストを送ると以下のチェックが走る
actionpack/lib/action_controller/metal/request_forgery_protection.rb#L398
      # Checks if the request originated from the same origin by looking at the
      # Origin header.
      def valid_request_origin?
        if forgery_protection_origin_check
          # We accept blank origin headers because some user agents don't send it.
          request.origin.nil? || request.origin == request.base_url
        else
          true
        end
      end

その他参考

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした