Can't verify CSRF token authenticity in rails

Question

I am using PaypalAdaptive. It sends ipn_notification properly. ipnNotification action method is as following -

def ipn_notification
    ipn = PaypalAdaptive::IpnNotification.new
    ipn.send_back(request.raw_post.to_json)

    print "=====================request.raw_post#{request.raw_post}=============="

    if ipn.verified?
        PaymentMailer.notify_unknown(request.raw_post).deliver
    else
        logger.info "IT DIDNT WORK"
    end
    render :nothing => true
end

but it's returning error

WARNING: Can't verify CSRF token authenticity rails

Any help for this problem.

apneadiving · Accepted Answer · 2013-08-21T13:45:51.413

19

In your controller:

skip_before_filter :verify_authenticity_token, :only => [:ipn_notification]

For people reading to quickly and distribute -1 (skipping an important part: it's not a POST call from the client...):

yes it skips a security BUT... Read after...
yes, it's the only way for external website POST requests
yes it's safe: you obviously check params and keys when receiving a call from Paypal or alike.

edited Aug 21 '13 at 13:45

answered Aug 16 '12 at 12:44

apneadiving

114,565
26
219
213

Answers are better when explained, too ;) – matthias krull Jul 18 '13 at 11:08
It is not the very short answer that made me -1 it. It is the missing explanation of the security implications that come with an implementation like yours. You basically bypass the CSRF protection .. which is a bad thing in combination with payment ;) – matthias krull Jul 18 '13 at 12:53
@matthiaskrull is there any alternative when receiving post from tierce services? I dont think so. Since the response is then checked using shared auth keys, it's not an issue. – apneadiving Jul 18 '13 at 12:55
I don't see any. But that is not the point I wanted to make. Maybe it is just me but I think it is worth mentioning what a line of code really does if it changes security relevant behavior. – matthias krull Jul 18 '13 at 13:07
@matthiaskrull when there is no alternative and the answer is good, your remark makes a great comment. I leave you happy with blaming power – apneadiving Jul 18 '13 at 13:11
@apneadiving This answer is opening very basic and big security hole in the authentication system. The simplest and easy way to solve this is by settings the headers in the request so the authentication doesnot break. Check the other answer to know more. – Ankur Agarwal Aug 21 '13 at 12:43
@AnkurAgarwal you are completely wrong when it concerns external calls like the one the OP is talking about. – apneadiving Aug 21 '13 at 13:28
How do you get paypal to send the correct headers? You don't. – hunterp Feb 14 '14 at 20:03

Ankur Agarwal · Answer 2 · 2013-03-18T13:23:45.500

15

The correct solution for this problem without compromising security

In your ajax request send the csrf token value as header.

var csrfToken = $("meta[name='csrf-token']").attr("content");
$.ajaxSetup({
  headers: {
    'X-CSRF-Token': csrfToken
  }
});

edited Mar 18 '13 at 13:23

answered Mar 09 '13 at 21:57

Ankur Agarwal

829
9
23

1

@Magnum better approach? Maybe, alas, it does not answer the question – apneadiving 1 hour ago – apneadiving Aug 21 '13 at 14:42
That is why I said it is 'better approach' not 'answer' – Grey Aug 22 '13 at 09:56

Abhi · Answer 3 · 2014-03-25T06:08:25.533

4

Add the following line in your application.js

//= require jquery_ujs

And try.

edited Mar 25 '14 at 06:08

answered Dec 25 '13 at 13:45

Abhi

3,361
2
33
38

Can't verify CSRF token authenticity in rails

3 Answers3

Linked