Can I use curl or curb to POST to a form that uses rails' Cross-site request forgery protection?

Question

I have a simple rails webpage where a user enters in a few textfields and uploads a picture. Rails then stores the picture and updates the databases on the server. It works fine.

However, I also need a script on another computer to update the web page occasioanlly using the curl/curb libraries. When i try to do that, though, I get this error:

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken)

When I look closer, it seems that rails puts in a hidden field called "authenticity_token" whenever it creates a form:

<form action="/headshots/single" enctype="multipart/form-data" method="post">
<input name="authenticity_token" type="hidden" value="798b514826513c881613a0c18b52839489a12181" />
. . .
</form>

The curb script won't work because it doesn't have the "authenticity_token" thing. Is there any way around this? Maybe make another webpage that does the same thing, but just for my curb script?

The fact that you're using curl makes me guess you're coming from a php background. The good news is you will never have to use curl again. — pguardiario, Apr 30 '12 at 10:23
Actually, I'm using curb which uses the curl libraries I believe. I haven't programmer PHP in years. — Steve Quezadas, Apr 30 '12 at 16:22

Michael Slade · Accepted Answer · 2012-04-30T10:26:19.470

The hidden input is there to prevent Cross-Site Request Forgery. You can't make a post to a rails action which is so protected without first getting the form and extracting the hidden authenticity_token parameter. curl isn't clever enough to do this on its own.

You have two options:

turn off the CSRF protection by removing the call to protect_from_forgery from your controller(s). Bad Idea.
run one request to get the form, use a quick-and-dirty regex to get the paremeter, say

/name="authenticity_token".*value="([^"]+)"/

and then run another request posting that value for authenticity_token. It's brittle and it might make people hate you but it will work.
Use something more sophisticated than curl to make the necessary request for the form and the successive submission. Mechanize appears to be the de facto standard.

I'm not familiar with curb, but if this thing can do posts I assume it can do gets. Why not have it do a get and pull out the auth token and then do the post? — Andy Gaskell, Apr 30 '12 at 09:52
I was in agreement until you parsed that response with regex. — pguardiario, Apr 30 '12 at 10:21

score 1 · Answer 2 · answered Apr 30 '12 at 10:20

1

How to submit a form with mechanize:

Mechanize.new.get('url_with_form').forms[0].tap{|f| f.field = 'value'}.submit

answered Apr 30 '12 at 10:20

pguardiario

53,827
19
119
159

Can I use curl or curb to POST to a form that uses rails' Cross-site request forgery protection?

2 Answers2