Rails CSRF tokens + Javascript

Question

I have a line of javascript in one of my views for handling a POST request. In theory it works, but intermittently it adds a plus-sign into the CSRF token, which creates an authentication error.

JS in question:

webcam.set_api_url('<%= upload_users_path %>' + '?' + csrf_param + "=" + encodeURI(encodeURI(csrf_token)));

I don't know Javascript yet, but is there anything I can do to make this line more stable and get it to stop dropping in plus-signs?

Ex faulty request and error:

Started POST "/users/upload?authenticity_token=N0x/rDOgyC6AutbXzx8sZXLwDnB9zQ+NwWefXTpiSfE=" for 127.0.0.1 at 2013-06-04 01:06:34 -0400
  Processing by UsersController#upload as HTML
Parameters: {"authenticity_token"=>"N0x/rDOgyC6AutbXzx8sZXLwDnB9zQ NwWefXTpiSfE="}
  WARNING: Can't verify CSRF token authenticity

Answer 1 · 2013-06-05T20:56:04Z

June 5, 2013 8:56pm

Zander,

I'm not sure why but the code is using the JavaScript function encodeURI() twice in that line, in your code you have encodeURI(encodeURI(csrf_token)). I don't think that is causing the issue but you only need to use the function once.

Could you provide the code on how the variable csrf_token is being determined? The function encodeURI() is encoding csrf_token to make it safe for a URL. It does not encode + signs as that is considered safe in a URL. I suspect the + sign is being randomly generated by the csrf_token. The w3schools documentation on encodeURI does a great job explaining this JavaScript function.

If you can post how the csrf_token variable is created, I think I can assist to prevent it from randomly generating a + sign into the string.

Thanks,
Codie

Welcome to the Treehouse Community

Looking to learn something new?

Zander Perry

Zander Perry

Rails CSRF tokens + Javascript

1 Answer

Codie Mullins

Codie Mullins