I have a Rails app running in a Docker container. I use Devise
for authenticating and Rack::Cors
for CORS.
On my machine, everything is okay. Once deployed, I can GET
the login page correctly, but when I fill in the login form and submit it, Chrome replies with a blank page and a 422 (Unprocessable Entity) status code. The Rails logs reads:
Can't verify CSRF token authenticity.
Completed 422 Unprocessable Entity in 2ms (ActiveRecord: 0.0ms)
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
Interestingly enough, on Firefox, everything runs smoothly.
I've tried everything I could find about Rails, CORS, CSRF, but I wasn't able to find a solution.
I don't really know what kind of information can be relevant here, so feel free to ask for details in the comments, I'll edit the question.
For what it's worth, I looked back at my code to find how I solved the issue.
I wasn't able to find a clean solution, so I worked around it by disabling the origin check :
# config/initializers/csrf_workaround.rb
Rails.application.config.action_controller.forgery_protection_origin_check = false
Of course, this introduces security vulnerabilities so be sure to post your own answer if you have a cleaner way to get this to work and/or have a real explanation for the question above.