We've just upgraded our Errbit app (https://github.com/errbit/errbit) from 0.6.0 to the latest version and we're finding that every POST request is throwing an exception that the CSRF token is invalid... if you change the protect_from_forgery in the ApplicationController to: protect_from_forgery with: :exception it will throw the InvalidAuthenticityException on every POST request.
Example from the logs:
Processing by Devise::SessionsController#new as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"iyoHKsD5c68Vk0rsiOG/oaNt+jauqy/IUIYK3GVFCnRikVDd9fFntyFBS2noPlKke27qw18yHw7MPpuglIMrdg==", "user"=>{"email"=>"[email protected]", "password"=>"[FILTERED]", "remember_me"=>"0"}}
Can't verify CSRF token authenticity.
It's not clear why this is happening as the SECRET_KEY_BASE is present, and we've confirmed that the form and csrf meta tags are all present in the code... it also works fine locally and worked before the upgrade...
The session_store also doesn't specify anything about domains (and didn't before):
Rails.application.config.session_store :cookie_store, key: '_errbit_session'
What could cause this to happen as we're a bit stuck as to what to check next.
This commit to upgrade to Rails 5.0
https://github.com/errbit/errbit/commit/df2c0a6f8adc9190547d9c1b9ffb0a3fc20f0941?diff=splitintroducedRails.application.config.action_controller.forgery_protection_origin_check = truein fileconfig/initializers/new_framework_defaults.rbwhich led to this issue when using nginx as a reverse proxy and not providing sufficient headers.To fix this, i had to pass on more nginx headers as explained here
https://github.com/rails/rails/issues/22965#issuecomment-172929004