DigitalOcean 1-Click Rails App - InvalidAuthenticityToken

August 1, 2018 1.7k views
Ruby on Rails Applications DigitalOcean Nginx Ubuntu 16.04

[2018-08-01T00:08:14.616530 #13285] INFO -- : Started POST "/login" for 108.3.168.115 at 2018-08-01 00:08:14 +0000
I, [2018-08-01T00:08:14.628178 #13285] INFO -- : Processing by SessionController#create as HTML
I, [2018-08-01T00:08:14.629969 #13285] INFO -- : Parameters: {"utf8"=>"✓", "authenticity_token"=>"9d2SwyolmTOHHo21SYVb7R8cGuTG8lCDpN5A/vrs1jr1IHv12yadJ+0YqH6gI4U5JQCZghF3vG0VQnhIdS7htQ==", "session"=>{"email"=>"", "password"=>"[FILTERED]"}, "commit"=>"Log in"}
W, [2018-08-01T00:08:14.638901 #13285] WARN -- : Can't verify CSRF token authenticity.
I, [2018-08-01T00:08:14.639597 #13285] INFO -- : Completed 422 Unprocessable Entity in 9ms (ActiveRecord: 0.0ms)
F, [2018-08-01T00:08:14.642361 #13285] FATAL -- :
F, [2018-08-01T00:08:14.642791 #13285] FATAL -- : ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

This webpage works fine on my development box, which doesn't use Nginx or Unicorn. At first I assumed that maybe I'd forgotten to populate the SECRETKEYBASE and that was causing issues, but it seems that the 1-click Rails App does in fact populate the ENV variable for SECRETKEYBASE, so I guess that isn't the problem.

1 Answer
Zetal August 1, 2018
Accepted Answer

Referencing this link: https://www.rubytreesoftware.com/resources/secure-your-cookies/

I was able to solve the problem.

config/environments/production.rb

config.force_ssl = true

config/initializers/session_store.rb set secure: true, optionally only do this for certain Rails environments (e.g., Staging / Production

Rails.application.config.sessionstore :cookiestore, key: 'testappsession', secure: true

I then had to also modify the nginx /rails config file, adding

proxysetheader X-Forwarded-Proto https;

to each location next to the other proxysetheader's.

Have another answer? Share your knowledge.