DEV Community

Cover image for ActionController:: InvalidAuthenticityToken — What's Going On Here?
Ben Halpern
Ben Halpern

Posted on

ActionController:: InvalidAuthenticityToken — What's Going On Here?

There are a few things going on with ActionController::InvalidAuthenticityToken, let's get in to it!

First of all, ActionController is the class which all "controllers" in Ruby on Rails inherit from, and it comes with a lot of functionality built in, such as "checking whether an authenticity token is valid". Because Rails prefers convention over configuration and is highly opinionated, this behavior is the default, rather than having to import the functionality.

We get this error when the controller detects that we have not properly passed a CSRF (Cross Site Request Forgery) token in with a POST, PUT, PATCH, or DELETE request. These are the type of requests where we typically send new data to the server and need to verify that this is done legitimately on behalf of a user using the website.

Read more about CSRF and related vulnerabilities here...

When we use a form_for or related tag in Rails, we magically pass an authenticity_token as a parameter along with the request. So if you try to submit a regular HTML form without manually adding a properly generated CSRF authenticity token as generated by the initial request you're going to get the the InvalidAuthenticityToken error.

Sometimes we'll want to legitimately skip this behavior if we know we don't need to make this check. That can be done, with caution, like this...

skip_before_action :verify_authenticity_token
Enter fullscreen mode Exit fullscreen mode

For a bit more information on some concepts outlined here, check out this post...

Happy coding ❤️

Top comments (5)

bobwalsh47hats profile image
Bob Walsh

The behavior I was getting was ActionController::InvalidAuthenticityToken Error for no good reason. Tried a bunch of different things in my application_controller, none worked consistently.

What I found was with SR-enabled rails apps, you want to a) turn on caching in development and b) flush that cache if you are trying out different SR-enabled rails apps by toggling rails dev:cache a few times then doing rails s.

This especially works if you try running a second SR-enabled rails app, either one after another or both at the same time (on different rails instances, using rails s -p 3001).

This particular rat hole is easy to fall into and very, very hard to climb out of.

leastbad profile image

Interesting timing on this, as we're experiencing strange behaviour from StimulusReflex apps that don't have caching enabled in development. They are seeing "Invalid Authenticity Token" errors. Thing is, we can't really figure out why the caching mechanism would impact any of this.

moseeds profile image
Mohammed Seedat

I thought I had misconfigured everything but I'm struggling with this issue too. I am using oauth as well as devise both seem to be struggling with maintaining any kind of persisting session making development much slower than it needs to be.

marckohlbrugge profile image
Marc Köhlbrugge

In case anyone gets these errors in their exception handling software (like e.g. Bugsnag): They are usually bots or crawlers trying to access parts of your app without properly sending the authenticity token with the request. In this case these exceptions can usually be ignored.

adnanpirota profile image
Adnan Pirota

If you run into this while using Stimulus Reflex please bear in mind that if as instructed by Stimulus Reflex you set "config.cache_store = :redis_cache_store and you set config.session_store :cache_store, Redis server must be up otherwise you will get invalidAuthenticityToken error.