Invalid Authenticity Token

Photo by Stanislaw Zarychta on Unsplash

Recently, I decided to update an old school project and add authentication. The project, Problem Solver, is a dynamic, single page web-application that allows users to post their dilemmas, or their solutions to the plights of others. However, there were hurdles that I did not anticipate. I was faced with the most challenging step of building Problem Solver, which just so happened to be the most crucial: ensuring user security.

I created Problem Solver’s backend with Ruby on Rails, developing a custom API with user-generated problems and solutions, and storing that information in a sqlite3 database. I then integrated a vanilla JavaScript frontend that would send fetch requests to the backend models and controllers to parse and validate each problem/solution object.

If you are familiar with Ruby on Rails, you know that in order to protect users from cross-site attacks, you’d use embedded Ruby (ERB) to add a hidden field for an authenticity token, which would include an identifier unique to the device it’s generated on. But, because I was using a JavaScript frontend as opposed to Rails’ views, I did not have the luxury of having Rails automatically create that token for me. So what happened when I couldn’t get the auth token to match what the Rails server had stored? There was a bit of irony in this: my Problem Solver app could not solve its own greatest problem.

{status: 422, error: “Unprocessable Entity”, exception: “#<ActionController::InvalidAuthenticityToken: ActionController::InvalidAuthenticityToken>”, traces: {…}}

But I had to persist. If I could get this app to work, it could be the one and only key to finding world peace! After doing intensive research and ignoring all of the poorly advised Stack Overflow comments to disable cross-site forgery protection and moving on, I found a solution that was promising: JSON Web Tokens (JWT).

Read my blog post on JWT to see how I implemented this feature into Problem Solver!

--

--

--

Laotian-American woman pursuing my passion for mentally stimulating and complex problem-solving through programming.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chindalath Traymany

Chindalath Traymany

Laotian-American woman pursuing my passion for mentally stimulating and complex problem-solving through programming.

More from Medium

Stoneage NFT Auction On Air

How to purchase MDI In our last article we talked about MDI and how MatrixETF tends to use MDI to…

How To Earn More With MSCP

How to make a photo NFT on OpenSea.