Rails Form Authenticity Token in Javascript
Hey guys, just a basic little snippet to get and encode the form authenticity token new in Rails 2.0, but in Javascript.
var AJ = {
encode_authenticity_token:function(token) {
return encodeURIComponent($(token).value)
},
authenticity_token_query_parameter_for_page:function() {
return 'authenticity_token=' + AJ.encode_authenticity_token(document.body.select('input[name="authenticity_token"]')[0])
},
ajax_request:function(url) {
new Ajax.Request(url, {asynchronous:true, evalScripts:true, parameters:AJ.authenticity_token_query_parameter_for_page()})
}
}
You can call AJ.ajax_request(url) to do a rails-style link_to_remote post and execute, or just get the form authenticity token in a format ready for the query string by using AJ.authenticity_token_query_parameter_for_page()
Hope this is helpful!
December 26th, 2007 at 1:02 pm
Just what I was looking for, thanks!
January 11th, 2008 at 12:24 am
thanks
January 30th, 2008 at 8:41 pm
Great! I knew i didn’t have to write this myself
February 13th, 2008 at 8:05 am
Very handy! Thanks for posting this.
April 26th, 2008 at 8:23 am
Thank you, guy! You’re solved my problem!
May 6th, 2008 at 4:09 pm
This is a nice way to do it when you can access the form element with the hidden token. What about when you are defining your requests outside of the views in javascript files?
I’m trying to come up with a way to globally prepend a valid authenticity token to ajax requests (using Ajax.Options most likely) but can’t find a good way to accomplish this.
May 6th, 2008 at 4:28 pm
This is actually doing just that, if I understand you right. You would use this for ajax requests that were not made by rails helpers, but were made in hand-written javascript files.
If you’re talking about doing it for every Ajax request across a site without having to use a helper like I use here, then I’m afraid you might have to modify Prototype’s Ajax library to allow for it. I’m not sure though, and that’s dangerous to do.
Keep us posted, especially if you figure out a solution. If I come across something that works, I’ll update this.
May 6th, 2008 at 5:27 pm
The reason this doesn’t work for my particular problem is that I’m not dealing with pages that have any hidden tokens already on them. Right now I see two ways to potentially deal with the issue:
1 - my first idea - Have an Ajax.Responder function in the head of the applications base layout. This would capture any (and all) Ajax requests and modify their parameters to append the authenticity token. What is awful about it is that even GET requests will have the authenticity token when they don’t need it but it’s really not all that big of a deal.
2 - Use something like this:
var AJ = {
rails_gen_token:function() {
var tok_str=”authenticity_token=” + “”;
return tok_str
}
}
And manually (or via a nice regex gsub
find all Ajax requests in the js files and prepend the generated token to their parameters.
I think the second one will actually work and I’ll try it tonight then report back with results.
May 6th, 2008 at 5:28 pm
gah the code tags didn’t save me:
var tok_str=”authenticity_token=” + “<%= RAILS_ENV == ‘test’ ? ” : form_authenticity_token.to_s %>”;
May 6th, 2008 at 5:39 pm
yep. the second way is the way to do it to avoid putting auth tokens where they needn’t be. There’s probably some way to capture requests, check to see if they are posts, then and only then insert the auth token into the params but for now my problem is solved.