ActionController::InvalidAuthenticityToken in Rails Engine

Question

I am building a saas engine in rails. I am running into the following error on the account#create method (The warden gem is used):

ActionController::InvalidAuthenticityToken in Subscribem::AccountsController#create
ActionController::InvalidAuthenticityToken

Rails.root: /home/jma/Documents/subscribem/spec/dummy

Application Trace | Framework Trace | Full Trace
Request

Parameters:

{"utf8"=>"✓",
 "authenticity_token"=>"x5sWQF8eRjwD/fcbdI+MJ1Y1gg7u2x7QvCoN3h1/1UM=",
 "account"=>{"name"=>"test",
 "subdomain"=>"test",
 "owner_attributes"=>{"email"=>"[email protected]",
 "password"=>"[FILTERED]",
 "password_confirmation"=>"[FILTERED]"}},
 "commit"=>"Create Account"}

My application controller looks like this:

class ApplicationController < ActionController::Base
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
    protect_from_forgery with: :exception
end

When changing the protect_from_forgery with: :exception to :null_session the error goes away but I think that this is not the right solution for this problem since the user should be logged in after this sign up action which he is not and the :null_session is for APIs only.

The site is also not creating any cookies for the user who is signing up which does not seem right.

Any ideas?

Answer 1

I see you're following Ryan Bigg's book on building Multitenant apps with Rails.

Given that, the issue is more than likely that you need to set the session cookie domain appropriately for your dummy app (by default it will be set to example.com).

So if you were running your dummy app at subscribem.dev (e.g. via Pow) then you would set your session cookie domain in spec/dummy/config/initializers/session_store.rb as follows:

Dummy::Application.config.session_store :cookie_store, key: '_dummy_session', domain: "subscribem.dev"