프로덕션에서 Rails 애플리케이션을 실행하는 중입니다. 여전히 개념 증명이지만 ActionController::InvalidAuthenticityToken
양식 제출에 대한 예외가 발생합니다. 내 이해는 Rails 6 (또는 이전 버전)에서는 protect_from_forgery
콜백이 이제 기본적으로 호출된다는 것입니다. 작동하도록하기 위해 파일에 구성 옵션 config.action_controller.allow_forgery_protection = false
을 추가했으며 config/environments/production.rb
이제 위조 방지를 다시 활성화하는 작업을 진행 중이므로 재정의를 제거하고 일부 양식을 제출하려고 시도했습니다 (또는 기본적으로 POST / PUT / PATCH / DELETE 방법).
내 ApplicationController는 protect_from_forgery
수동으로 호출하지 않으며 모든 GET 요청이 제대로 작동하는 것으로 보입니다. 내는 application.html.haml
다음 내를 포함 %head
:
= csrf_meta_tags
= csp_meta_tag
내 양식이 사용 bootstrap_form_with
중이며 authenticity_token
양식에있는 것과 일치 하는 양식 매개 변수를 제출 하고 있습니다 %head
(Chrome 개발 도구 및 로그에서 확인 됨). 제출할 때 응답이 로그에 예외가있는 422 오류임을 알 수 있습니다.
[3d603471-3240-4401-a3a2-e9ba3c6ac358] ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
[3d603471-3240-4401-a3a2-e9ba3c6ac358]
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal/request_forgery_protection.rb:217:in `handle_unverified_request'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal/request_forgery_protection.rb:249:in `handle_unverified_request'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] devise (4.7.1) lib/devise/controllers/helpers.rb:255:in `handle_unverified_request'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal/request_forgery_protection.rb:244:in `verify_authenticity_token'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:429:in `block in make_lambda'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:201:in `block (2 levels) in halting'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:202:in `block in halting'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:514:in `block in invoke_before'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:514:in `each'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:514:in `invoke_before'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:110:in `block in run_callbacks'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] ahoy_matey (3.0.1) lib/ahoy/controller.rb:45:in `set_ahoy_request_store'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:121:in `block in run_callbacks'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:139:in `run_callbacks'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/abstract_controller/callbacks.rb:41:in `process_action'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal/rescue.rb:22:in `process_action'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal/instrumentation.rb:33:in `block in process_action'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/notifications.rb:180:in `block in instrument'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/notifications/instrumenter.rb:24:in `instrument'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/notifications.rb:180:in `instrument'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal/instrumentation.rb:32:in `process_action'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal/params_wrapper.rb:245:in `process_action'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activerecord (6.0.2.1) lib/active_record/railties/controller_runtime.rb:27:in `process_action'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/abstract_controller/base.rb:136:in `process'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionview (6.0.2.1) lib/action_view/rendering.rb:39:in `process'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal.rb:191:in `dispatch'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_controller/metal.rb:252:in `dispatch'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/routing/route_set.rb:51:in `dispatch'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/routing/route_set.rb:33:in `serve'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/routing/mapper.rb:18:in `block in <class:Constraints>'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/routing/mapper.rb:48:in `serve'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/journey/router.rb:49:in `block in serve'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/journey/router.rb:32:in `each'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/journey/router.rb:32:in `serve'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/routing/route_set.rb:837:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] warden (1.2.8) lib/warden/manager.rb:36:in `block in call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] warden (1.2.8) lib/warden/manager.rb:34:in `catch'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] warden (1.2.8) lib/warden/manager.rb:34:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/tempfile_reaper.rb:15:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/etag.rb:25:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/conditional_get.rb:38:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/head.rb:12:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/session/abstract/id.rb:259:in `context'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/session/abstract/id.rb:253:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/cookies.rb:648:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/callbacks.rb:101:in `run_callbacks'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/debug_exceptions.rb:32:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] turbolinks_render (0.9.17) lib/turbolinks_render/middleware.rb:77:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] railties (6.0.2.1) lib/rails/rack/logger.rb:38:in `call_app'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] railties (6.0.2.1) lib/rails/rack/logger.rb:26:in `block in call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:80:in `block in tagged'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:28:in `tagged'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/tagged_logging.rb:80:in `tagged'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] railties (6.0.2.1) lib/rails/rack/logger.rb:26:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] ahoy_matey (3.0.1) lib/ahoy/engine.rb:22:in `call_with_quiet_ahoy'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] request_store (1.5.0) lib/request_store/middleware.rb:19:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/request_id.rb:27:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/method_override.rb:22:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/runtime.rb:22:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] activesupport (6.0.2.1) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] rack (2.0.8) lib/rack/sendfile.rb:111:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] actionpack (6.0.2.1) lib/action_dispatch/middleware/host_authorization.rb:77:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] railties (6.0.2.1) lib/rails/engine.rb:526:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] puma (4.3.1) lib/puma/configuration.rb:228:in `call'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] puma (4.3.1) lib/puma/server.rb:681:in `handle_request'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] puma (4.3.1) lib/puma/server.rb:472:in `process_client'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] puma (4.3.1) lib/puma/server.rb:328:in `block in run'
[3d603471-3240-4401-a3a2-e9ba3c6ac358] puma (4.3.1) lib/puma/thread_pool.rb:134:in `block in spawn_thread'
devise
위조 방지에 prepend를 사용 하도록 권장하는 것을 보았 으므로 ApplicationController에 다음을 추가했습니다.
protect_from_forgery with: :exception, prepend: true
왜 이런 일이 일어나는지에 대해 약간 당황스럽고 확실히 더 많은 코드 샘플을 제공 할 수 있지만 무엇이 필요한지 완전히 확신하지 못합니다.
정말 고마워
제 경우에는이 문제를 해결하려면 다음 config/environments/production.rb
과 같이 옵션을 활성화해야합니다 .
config.force_ssl = true
안타깝게도 질문을 한 지 오래 되었기 때문에 이것이 유일한 것인지 확실하지 않지만 요청한 후 위조 방지 기능이 작동하기 시작했습니다.
이 기사는 인터넷에서 수집됩니다. 재 인쇄 할 때 출처를 알려주십시오.
침해가 발생한 경우 연락 주시기 바랍니다[email protected] 삭제
몇 마디 만하겠습니다