Search code examples
ruby-on-railsrubycsrfmollie

Can't verify CSRF token autenticity

I am trying to install the Mollie API, but I don't get the webhook working. I am working in Ruby on Rails 4. It keeps saying Can't verify CSRF token autenticity. I tried several answers from stackoverflow but they don't work. E.g.

  • skip_before_filter :verify_authenticity_token
  • protect_from_forgery except: [:notify]
  • protect_from_forgery with: :null_session, if: -> {request.format.json?}

My notify-controller looks like:

class ReservationsController < ApplicationController
    before_action :authenticate_user!, except: [:notify]

    skip_before_filter :verify_authenticity_token

    def preload
        training = Training.find(params[:training_id])
        today = Date.today
        reservations = training.reservations.where("date >= ?", today)

        render json: reservations
    end

    def create



        @thrill = Thrill.find(params[:thrill_id])
        if @thrill.reservations.length < @thrill.training.tr_max_attendants
            @reservation = current_user.reservations.create(reservation_params)

            if @reservation

                require 'Mollie/API/Client'

                mollie = Mollie::API::Client.new('test_gUejkz43UkdeCauC22J6UNqqVRdpwW')

                payment = mollie.payments.create(
                    amount: 10.00,
                    description: 'My first API payment',
                    redirect_Url: 'http://d7459af1.ngrok.io/your_trips',
                    webhookUrl: 'http://d7459af1.ngrok.io/notify',
                    metadata: {
                        reservationid: @reservation.id
                    }
                )



                @reservation.update_attributes payid:payment.id

                redirect_to payment.payment_url


            else
                redirect_to @thrill.training, notice: "Helaas, de training is vol"
            end
        end
    end

    protect_from_forgery except: [:notify]
#   protect_from_forgery with: :null_session, if: -> {request.format.json?}

    def notify

        require 'Mollie/API/Client'

        mollie = Mollie::API::Client.new('test_gUejkz43UkdeCauC22J6UNqqVRdpwW')

        payment = mollie.payments.get(payment.id)

        params.permit!
        status = params[:payment_status]

        if payment.paid?

          reservation = Reservation.find(params[:payid])
          reservation.update_attributes status:true
        else
            reservation.destroy
        end

        render nothing: true

    end

    protect_from_forgery except: [:your_trips]
    def your_trips
        @reservations = current_user.reservations.joins(:thrill).order('thrills.thrilldate asc').where('? <= thrills.thrilldate', Date.today)
    end

    def your_reservations
        @trainings = current_user.trainings
    end

    private
        def reservation_params

            params.permit(:thrill_id, :user_id)
        end


    end

If someone has a tip or hint it would be highly appreciated! Thanks!

Solution

  • You need to call protect_from_forgery at the very top of your controller, or you can remove the protect_from_forgery call in ApplicationController.

    Example:

    class ReservationsController < ApplicationController
    before_action :authenticate_user!, except: [:notify]

    skip_before_filter :verify_authenticity_token

    protect_from_forgery except: [:notify, :your_trips]

    # actions go below here

    Note that you can pass multiple actions to the :except parameter

    Side note: if you are working on an JSON API only app, I suggest you to look into Rails API: https://github.com/rails-api/rails-api