I was under the impression that Rails will regenerate the form_authenticity_token after any POST, PUT, or DELETE action. But for some reason, after a successful POST to the users resource the form_authenticity_token does not regenerate. I'm free to POST as many time as I would like with the same CSRF token over and over.
I've got a namespaced API and I'm using the RABL gem to build out my responses. This is how I have everything setup...
class Api::V1::UsersController < Api::V1::ApplicationController
...
def create
@user = User.new(params[:user])
render "show", :status => (@user.save ? :ok : :unprocessable_entity)
end
...
end
class Api::V1::ApplicationController < ApplicationController
layout '/api/v1/layouts/application.json.erb'
respond_to :json
before_filter :authenticate_user!
...
end
class ApplicationController < ActionController::Base
protect_from_forgery
end
The post goes through fine, there are no errors or warning in the development.log or in the consoled $ rails s log.
I've check verified_request? from within the create method and it's returning true. I've removed the render and setup a create.json.rabl view with the same code as the show.json.rabl view... no dice.
I'm running Rails 3.1.3 w/ Ruby 1.9.2p290 w/ a cookie session store.
The authenticity token is being sent via request header (X-CSRF-Token)
