Rails choking on the content of this request because of protect_from_forgery

Posted by randombits on Stack Overflow See other posts from Stack Overflow or by randombits
Published on 2010-04-18T01:54:22Z Indexed on 2010/04/18 2:03 UTC
Read the original article Hit count: 456

Filed under:

I'm trying to simply test my RESTful API with cURL. Using the following invocation:

curl -d "name=jimmy" -H "Content-Type: application/x-www-form-urlencoded" http://127.0.0.1:3000/people.xml -i

Rails is dying though:

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken): :8:in `synchronize'

Looks like it's running this through a protect_from_forgery filter. I thought protect_from_forgery is excluded for non-HTML HTTP POST/PUT/DELETE type requests? This is clearly targeting the XML format.

If I pass actual XML content, it works. But my users will be submitting POST data as URL encoded parameters. I know all the various ways I can disable protect_from_forgery but what's the proper way of handling this? I want to leave it on so that when I do have HTML based forms and handle format.html, I don't forget to re-enable it for then. I want users to be able to make HTTP POST requests to my XML-based API though and not get bombarded with this.

© Stack Overflow or respective owner

Related posts about ruby-on-rails