Ben HalpernThere are a few things going on with ActionController::InvalidAuthenticityToken, let's get in to it!
First of all, ActionController is the class which all "controllers" in Ruby on Rails inherit from, and it comes with a lot of functionality built in, such as "checking whether an authenticity token is valid". Because Rails prefers convention over configuration and is highly opinionated, this behavior is the default, rather than having to import the functionality.
We get this error when the controller detects that we have not properly passed a CSRF (Cross Site Request Forgery) token in with a POST, PUT, PATCH, or DELETE request. These are the type of requests where we typically send new data to the server and need to verify that this is done legitimately on behalf of a user using the website.
Read more about CSRF and related vulnerabilities here...
When we use a form_for or related tag in Rails, we magically pass an authenticity_token as a parameter along with the request. So if you try to submit a regular HTML form without manually adding a properly generated CSRF authenticity token as generated by the initial request you're going to get the the InvalidAuthenticityToken error.
Sometimes we'll want to legitimately skip this behavior if we know we don't need to make this check. That can be done, with caution, like this...
skip_before_action :verify_authenticity_token
For a bit more information on some concepts outlined here, check out this post...
Happy coding ❤️
