logo标签列表

无法验证CSRF令牌的真实性

ruby-on-railsrubycsrfmollie
3
我正在尝试安装Mollie API,但无法使webhook工作。我正在使用Ruby on Rails 4。它一直显示“无法验证CSRF令牌的真实性”。我从stackoverflow尝试了几个答案,但它们都不起作用。例如:
  • skip_before_filter :verify_authenticity_token
  • protect_from_forgery except: [:notify]
  • protect_from_forgery with: :null_session, if: -> {request.format.json?}
我的notify-controller如下:
class ReservationsController < ApplicationController
    before_action :authenticate_user!, except: [:notify]

    skip_before_filter :verify_authenticity_token

    def preload
        training = Training.find(params[:training_id])
        today = Date.today
        reservations = training.reservations.where("date >= ?", today)

        render json: reservations
    end

    def create



        @thrill = Thrill.find(params[:thrill_id])
        if @thrill.reservations.length < @thrill.training.tr_max_attendants
            @reservation = current_user.reservations.create(reservation_params)

            if @reservation

                require 'Mollie/API/Client'

                mollie = Mollie::API::Client.new('test_gUejkz43UkdeCauC22J6UNqqVRdpwW')

                payment = mollie.payments.create(
                    amount: 10.00,
                    description: 'My first API payment',
                    redirect_Url: 'http://d7459af1.ngrok.io/your_trips',
                    webhookUrl: 'http://d7459af1.ngrok.io/notify',
                    metadata: {
                        reservationid: @reservation.id
                    }
                )



                @reservation.update_attributes payid:payment.id

                redirect_to payment.payment_url


            else
                redirect_to @thrill.training, notice: "Helaas, de training is vol"
            end
        end
    end

    protect_from_forgery except: [:notify]
#   protect_from_forgery with: :null_session, if: -> {request.format.json?}

    def notify

        require 'Mollie/API/Client'

        mollie = Mollie::API::Client.new('test_gUejkz43UkdeCauC22J6UNqqVRdpwW')

        payment = mollie.payments.get(payment.id)

        params.permit!
        status = params[:payment_status]

        if payment.paid?

          reservation = Reservation.find(params[:payid])
          reservation.update_attributes status:true
        else
            reservation.destroy
        end

        render nothing: true

    end

    protect_from_forgery except: [:your_trips]
    def your_trips
        @reservations = current_user.reservations.joins(:thrill).order('thrills.thrilldate asc').where('? <= thrills.thrilldate', Date.today)
    end

    def your_reservations
        @trainings = current_user.trainings
    end

    private
        def reservation_params

            params.permit(:thrill_id, :user_id)
        end


    end

如果有人有提示或建议,将不胜感激!谢谢!
嗨,Chris。如果你是Rails的新手:你在这里发布的代码看起来不像是一个常规的Rails控制器。你能把你的notify控制器中的所有代码都发布出来吗?我期望它以class NotifyController < ApplicationController开头。 - Mauddev
嗨Mauddev,感谢您的评论。我确实很新手,我添加了完整的控制器。希望您能从中得到一些东西。 - Chris Rutte
1个回答
3
你需要在控制器的最顶部调用 protect_from_forgery,或者你可以移除 ApplicationController 中的 protect_from_forgery 调用。
示例:
class ReservationsController < ApplicationController
    before_action :authenticate_user!, except: [:notify]

    skip_before_filter :verify_authenticity_token

    protect_from_forgery except: [:notify, :your_trips]

    # actions go below here

请注意,您可以将多个操作传递给:except参数。
顺便提一下:如果您正在开发一个仅限JSON API的应用程序,建议您查看Rails API:https://github.com/rails-api/rails-api
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接