Problem after updating to 0.4.0

darwinrc · July 2, 2015, 12:17pm

Good day,

After updating lotusrb to 0.4.0 I’m getting this error after login in my web app:

Lotus::Action::InvalidCSRFTokenError: Lotus::Action::InvalidCSRFTokenError

My application.rb is like this:

sessions :cookie, key: "myapp.web", secret: ENV['WEB_SESSIONS_SECRET']`}

Is there any extra change needed to be made to the sessions secrets after the update?

Thanks in advance.

darwinrc · July 4, 2015, 3:07pm

@pastuxo found the problem.

We included the hidden csrf_token field in our forms:

%input{:name => "_csrf_token", :type => "hidden", :value => csrf_token}

That inclusion is not needed if form helpers are used.

AlfonsoUceda · July 7, 2015, 7:23am

Lotus 0.4.0 enables by default CSRF protection, I recommend to use form helpers instead use this workaround but it’s valid.

I talked with @darwinrc in the chat. Closing this issue.

jodosha · July 7, 2015, 8:47am

@darwinrc I also remember you that you can bypass the CSRF protection by overriding #verify_csrf_token? in the related action:

module Web::Controllers::Books
  class Create
    include Web::Action

    def call(params)
      # ...
    end

    private

    def verify_csrf_token?
      false
    end
  end
end

Ref: https://github.com/lotus/lotus/pull/248

Topic		Replies	Views
SqlAdapter exception after update issues	4	2205	July 3, 2015
Problem with csrf and omniauth with Hanami 2 questions	6	857	December 29, 2022
Make interactor closer to action by adding params validation? proposals	0	2372	September 11, 2015
Using binding.pry with lotus server issues	2	2325	June 29, 2015
Handling & returning validation errors in an JSON API application questions	8	5590	June 29, 2015

Problem after updating to 0.4.0

Related topics