1. 首页
  2. 问答
  3. 无法验证CSRF令牌的真实性

无法验证CSRF令牌的真实性

2017-01-22 142 views
2

我正在尝试安装Mollie API,但我没有找到webhook的工作方式。我正在Ruby on Rails 4中工作。它一直在说无法验证CSRF令牌的真实性。我尝试了几个从stackoverflow的答案,但他们不工作。例如。无法验证CSRF令牌的真实性

  • skip_before_filter:verify_authenticity_token
  • protect_from_forgery除外:[:通知]
  • protect_from_forgery用:null_session,如果: - > {?request.format.json}

我的通知控制器看起来像:

class ReservationsController < ApplicationController 
    before_action :authenticate_user!, except: [:notify] 

    skip_before_filter :verify_authenticity_token 

    def preload 
     training = Training.find(params[:training_id]) 
     today = Date.today 
     reservations = training.reservations.where("date >= ?", today) 

     render json: reservations 
    end 

    def create 



     @thrill = Thrill.find(params[:thrill_id]) 
     if @thrill.reservations.length < @thrill.training.tr_max_attendants 
      @reservation = current_user.reservations.create(reservation_params) 

      if @reservation 

       require 'Mollie/API/Client' 

       mollie = Mollie::API::Client.new('test_gUejkz43UkdeCauC22J6UNqqVRdpwW') 

       payment = mollie.payments.create(
        amount: 10.00, 
        description: 'My first API payment', 
        redirect_Url: 'http://d7459af1.ngrok.io/your_trips', 
        webhookUrl: 'http://d7459af1.ngrok.io/notify', 
        metadata: { 
         reservationid: @reservation.id 
        } 
       ) 



       @reservation.update_attributes payid:payment.id 

       redirect_to payment.payment_url 


      else 
       redirect_to @thrill.training, notice: "Helaas, de training is vol" 
      end 
     end 
    end 

    protect_from_forgery except: [:notify] 
# protect_from_forgery with: :null_session, if: -> {request.format.json?} 

    def notify 

     require 'Mollie/API/Client' 

     mollie = Mollie::API::Client.new('test_gUejkz43UkdeCauC22J6UNqqVRdpwW') 

     payment = mollie.payments.get(payment.id) 

     params.permit! 
     status = params[:payment_status] 

     if payment.paid? 

      reservation = Reservation.find(params[:payid]) 
      reservation.update_attributes status:true 
     else 
      reservation.destroy 
     end 

     render nothing: true 

    end 

    protect_from_forgery except: [:your_trips] 
    def your_trips 
     @reservations = current_user.reservations.joins(:thrill).order('thrills.thrilldate asc').where('? <= thrills.thrilldate', Date.today) 
    end 

    def your_reservations 
     @trainings = current_user.trainings 
    end 

    private 
     def reservation_params 

      params.permit(:thrill_id, :user_id) 
     end 


    end

如果有人有一个提示或暗示,将不胜感激! 谢谢!

来源

2017-01-22 Chris Rutte

+0

嗨克里斯。如果你是Rails新手:你在这里发布的代码看起来不像普通的Rails控制器。你能把所有的代码发布到你的通知控制器吗?我希望它启动'类NotifyController Mauddev

+0

嗨Mauddev,感谢您的评论。我确实对此很新,我添加了完整控制器。希望你能做到这一点。 –

回答

3

你需要在你的控制器的最顶部打电话protect_from_forgery,也可以在ApplicationController删除protect_from_forgery电话。

例子:

class ReservationsController < ApplicationController 
    before_action :authenticate_user!, except: [:notify] 

    skip_before_filter :verify_authenticity_token 

    protect_from_forgery except: [:notify, :your_trips] 

    # actions go below here

请注意,您可以通过多个动作为:except参数

附注:如果你是在一个JSON API唯一的应用程序的工作,我建议你看看到Rails API : https://github.com/rails-api/rails-api

来源

2017-01-22 21:37:59 Edward

相关问题

 相关问题