I've enable token based authentication (token_authenticatable) in devise in my rails app and it's working well. Now I'm making an android application that uses the web service provided by this rails app. It stores the devise auth_token after first login and uses it to make subsequent requests so that user does not have to log in later. The problem is that I get InvalidAuthenticityToken error when I call the update action from the android app. I don't want to make an extra call to the server to get the authenticity token or remove protect_from_forgery from the update action. Any suggestions?
Asked
Active
Viewed 1,544 times
1 Answers
0
Look into using stateless tokens. They should be just what you need. Devise and Stateless tokens in Rails
-
Tried it but didn't really work for me. But I just got around the problem by using content-type header to application/json and passing a json body. – bala Jun 08 '11 at 05:10
-
Hmm, so now all JSON is unauthenticated? – Devin M Jun 08 '11 at 05:11
-
It turns out that since browsers can't use content-type json, so there is no risk of CSRF attacks. So rails doesn't do authenticity token validations on the requests. – bala Jun 08 '11 at 07:41
-
I can forge content headers, just saying. https://addons.mozilla.org/en-us/firefox/addon/modify-headers/ – Devin M Jun 08 '11 at 14:15
-
Yeah true but there's practically no possibility that the attacker could forge content headers in user's browser. – bala Jun 09 '11 at 03:53