My application is built using rails 3 and i have added the csrf_meta_tag in application.html.erb.
<%= csrf_meta_tag %>
Authenticity token is changing for different users, but the token is same in the entire session i.e its not changing for each put & post request.
Any idea how to fix this issue?
Authenticity token stays same for the entire session. it does not changes for every request as a copy of authenticity in encrypted form is mapped in with your cookies which is used to match against whether the authenticity token is valid or not
Just set session[:csrf_token]=nil if you want it to change for every request
Just cross check this I know this work but done it long back
Also just check if this link for more info
Related
after successfully getting past the login page using curl in Linux (bash) with two sites that use information from the HTML-form field to accomplish this, I now also want to login to another site with my credentials that is a bit more tricky. I'm new to this and it seems that it works with OAuth so I need an access token first. With my two successfull attempts it was necessary to extract a CSRF token from the HTML code so as to prove I'm not a malicious bot. But now it's completely different and the server thinks I'm a bot (see error messages below).
Can somebody please confirm whether these are the only steps involved for logging in to an OAuth protected site:
a POST request to the server that generates the token (https://name_of_site/api/v1/auth/token)
a GET request to a password-protected part of the website using the access token from step 1
When I try step 1, I get error messages as shown below*. I inspected the website before logging in and afterwards with a browser and copied everything as cURL (bash). In the header fields of the token request I can find two more fields that look like they provide dynamic information:
x-trace-request-id
x-recaptcha-v3
I did some research and found that the request ID stays the same for some interactions that go to and from a server to facilitate identification of the client(?).
And concerning the recaptcha, I know what a recaptcha is, but I did not have to solve any captchas when accessing the site with a browser. So I'm quite unsure about these bits of information.
I strongly assume that I need to send one or both of these headers in the first step to actually get an acess token. But how could I get valid values for these parameters with cURL?
Any help is aprreciated! Please point me in the right direction. I can provide more information if needed, of course.
{"status":"ERROR","statusCode":400,"data":{"message":"Request failed with status code 400","error":"invalid_grant","error_description":"invalid credential","bot-detection-error":"MissingAdditionalAuthToken"}}
This is the error I get when I do not provide x-trace-request-id and x-recaptcha-v3
{"status":"ERROR","statusCode":400,"data":{"message":"Request failed with status code 400","error":"invalid_grant","error_description":"invalid credential","bot-detection-error":"InvalidCaptchaV3Token"}}This is the error I get when I simply use the values as copied from the old request when I used the browser
In my jmeter web recording, I have an api/authenticate part which generates the token which has to be used
in subsequent requests. I did the part of correlation too. But the problem I face now is, the api/authenticate throws a session still persists error after sometime. In my script I have log out option too. In api/authenticate I am providing username and password in the headers. Since the session exists error is there, I can't get the token in the response body. Is it something that developers can fix for us? can you please help me with this? Or is there any request which is missing above this authentication part which jmeter didn't capture? I have authentication header manager added to my test plan to clear
authorization every iteration. Also cookie manager and cache manager. Nothing clears the session.
For well-behaved application "log out" request should clean the session, if it doesn't - you need to report it to your application developers.
Also check the token response, it might be the case it has some time to live and if this is the case the token persistence could be a part of your application functionality so if there is a username/password combination associated with the token you should be using it until it expires before getting the new one. So you can write the token and its expiration date into a CSV file using Flexible File Writer and use If Controller to check whether the token is still active or not
I'm looking for a way to use a URL provided as a parameter in the POST request to create a user as the confirmation URL for confirming my Devise user model. The use case is that I have a rails application acting as an API for a frontend react app (setup using webpack) and I want the URL in the confirmations instructions email sent to the user to link to the frontend app, which would then send an API request to the backend to manually confirm the user, instead of the user visiting my backend API URLs themselves.
I want it so that the backend could potentially be used with other clients in the future, so the URL to be used must be variable. Currently I'm trying to pass it in the API request to create the user, and then somehow I would need a way to get this variable into the Devise mailer.
The end goal looks something like this:
# app/views/devise/mailer/confirmation_instructions.html.erb
<p>Welcome <%= #email %>!</p>
<p>You can confirm your account email through the link below:</p>
<p><%= link_to 'Confirm my account', #custom_confirmation_url ? "#{#custom_confirmation_url}#{#token}" : confirmation_url(#resource, confirmation_token: #token) %></p>
where #custom_confirmation_url is the variable holding the value of the URL passed into the POST request to register a new user.
I was potentially thinking of simply redirecting the user to my frontend after the confirmation, with something like this but I don't see how I'd make it work with multiple frontend clients, if I went that route.
I'm open to thoughts on whether or not this approach is even worth considering, or if there's a more stylistically correct way of accomplishing this.
I have many small pages that do not correspond to standard resource-based forms in my Rails 3.2.13 project. I am using Ajax calls from these forms to do POSTs. I'm getting the error:
WARNING: Can't verify CSRF token authenticity
which is causing my session to be invalidated and I'm redirected to the login page.
How can I include the CSRF stuff without using form_for?
To include the hidden input field with CSRF token in your view, use
<%= hidden_field_tag(request_forgery_protection_token.to_s, form_authenticity_token) %>
form_for uses the method FormTagHelper.token_tag, but it's a private method and can't be used directly.
In my application i am using restful authentication for authenticating login. But the problem is whenever i login and check the logs, my password is sent in cleartext and it is easily readable. I tried many things but still the issue exists.
Any idea on how to fix this.
Found the solution.
In application.rb just add the following line, the remaining will be taken care;
config.filter_parameters << :password