ruby on rails - Why is my HTTP Origin header not matching request.base_url and how to fix?

Question

Hello this is my first post here!

I have been trying to debug this issue for a couple of days but cannot figure it out. When I am making a post request to a rails api I am getting this error I have never seen before:

Started POST "/owners" for ::1 at 2021-01-12 11:24:15 -0500
   (1.0ms)  SELECT "schema_migrations"."version" FROM "schema_migrations" ORDER BY "schema_migrations"."version" ASC
Processing by OwnersController#create as */*
  Parameters: {"email"=>"adam", "password"=>"[FILTERED]", "owner"=>{"email"=>"adam"}}
HTTP Origin header (http://localhost:3000) didn't match request.base_url (http://localhost:3001)
Completed 422 Unprocessable Entity in 0ms (ActiveRecord: 1.8ms | Allocations: 476)


  
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

Like I said I have never seen this before and I don't know how I have caused it. I have not used a proxy server and the only thing new I tried in this project that could have messed things up was I installed the devise gem but decided not to use it and deleted it.

Things I have tried:

making sure I had no pending migrations:

checking my routes:

Rails.application.routes.draw do
  resources :owners
  resources :dogs
  post 'login', to: 'sessions#create'
end

Then I thought it could be a cors issue:

require_relative 'boot'

require 'rails/all'

# Require the gems listed in Gemfile, including any gems
# you've limited to :test, :development, or :production.
Bundler.require(*Rails.groups)

module Backend
  class Application < Rails::Application
    # Initialize configuration defaults for originally generated Rails version.
    config.load_defaults 6.0

    # Settings in config/environments/* take precedence over those specified here.
    # Application configuration can go into files in config/initializers
    # -- all .rb files in that directory are automatically loaded after loading
    # the framework and any gems in your application.
    config.api_only = true

    config.middleware.insert_before 0, Rack::Cors do
      allow do
        origins '*'
        resource(
          '*',
          headers: :any,
          methods: [:get, :patch, :put, :delete, :post, :options, :head]
          )
      end
    end

  end
end

I then tried googling things about invalid authenticity token and http origin header but couldn't find a helpful solution or a solution I could understand.

(last note: I tried changing it from a post request to a get request and it worked but posts cause an error)

Thanks for any advice in advance

Answer 1

I think this is a CSRF (cross site request forgery) issue. Rails is trying to prevent invalid requests being made to your controller. It is looking for an authenticity_token on your request header, this token makes its way into the request via a hidden element in the html.erb form for post requests to a particular path. As you are using rails as an API, these tokens are absent.

There are multiple strategies for preventing this exception, and all have different security implications. Here is a good place to start: Rails API design without disabling CSRF protection