The nested format that strong parameters requires comes automatically with forms, i.e. the update and create actions.
Does this mean that it's only meant for those actions, and for the other get requests we're supposed to use plain old params[:token] in the controller?
The reason why I'm asking is to understand whether I should create the nested format aswell for get requests like this link_to user.first_name, user_path(user: {token: user.token}) or simply do link_to user.first_name, user_path(token: user.token)
Strong params is a security mechanism having to do only with actions that add or change data, specifically actions that do this for several attributes at the same time, hence the name mass assignment. Usually the typical controller methods that use mass assignment are Create and Update, therefore these are usually the only methods one would have to protect. I say usually because you can always have a custom controller method that uses mass assignment.
Mass assignment looks like this:
attrs = {:first => "John", :last => "Doe", :email => "[email protected]"}
user = User.new(attrs)
You now have a user with all those attributes assigned to it, it's a convenience thing. Otherwise you would have to do each attribute manually. The problem is if you don't whitelist the attributes that can be assigned via strong params, someone could manipulate the POST or PUT/PATCH request to say something like this :admin => true
Hope that makes it a bit more clear.