InvalidAuthenticityToken and Dojo Toolkit
... or how to add your authenticity token to a hand made form in Rails
Finally decided to take on Dojo
Hello again, I started playing with the Dojo Toolkit, and I really liked it, first thing I found was that it used to be incompatible with Prototype/Script.aculo.us, but that seems to have been fixed, just add a little config for dojo before loading it, and that gets the job done, also you should not forget to load dojo toolkit before loading prototype/script.aculo.us.Googled with no luck, just Toolbocks
Well, I shall tell you that before going this path I obviously Googled for a ready made gem and/or plug in that I could use to get dojo on Rails, and found Dojo Toolbocks plug in, but reading the documentation it requires you to add the engines plug in, that I am not really fond of, and that was an immediate turn off...I don't like the engines plug in, do you?
Also I looked for more documentation about it but it seems all it does is just load the dojo toolkit, so I went on to try and build a plug in that would do that without needing the engines plug in.dojo_support plugin ina repository near you soon
I will publish this new plug in that will be named dojo_support, when it's ready for a beta test, and that means writing a couple of helpers for views and also a render similar to the Rails' javascript RJS render.The InvalidAuthenticityToken Error
While developing the code for a helper to create remote form tags that work with dojo, I came into a problem creating the forms, where rails complains about an Invalid Authenticity Token. This is required by the ProtectFromForgery feature of Rails.Disabled protection? I don't think so.
I had two choices, first, disable protect from forgery in the controllers for actions handling remote dojo forms (not a choice really), second was adding the needed authenticity token to the form, that is generate the form code and include the authenticity token as a hidden field just like regular Rails' generated forms. This is where I was stuck, I googled without luck finding only posts that told me to addprotect_from_forgery :except => :my_methodas shown in RequesForgeryProtection Class Methods to disable forgery protection for specific methods but this was something I didnt feel users should do.
The Discovery of form_authenticity_token
I finally found where this protection is in the Rails tree, and found in RequestForgeryProtection that you can reach the token withform_authenticity_token
The discovery of request_forgery_protection_token
And looking around in options_for_ajax, I found you can get the name of the field in the form withrequest_forgery_protection_tokenI found it in ActionView::Helpers::PrototypeHelper (use the show source link in the options_for_ajax method).
So, how do you use them?
So to end this long post, to prevent InvalidAuthenticityToken forms created by hand just add the following line to your .html.erb form:<input name="<%= request_forgery_protection_token.to_s %>" type="hidden" value="<%= form_authenticity_token %>" />And you're on track again.
I hope I have the skills to make Dojo as easy as Prototype/Script.aculo.us
Hope this helps someone, of course this will be included in the helpers of the new dojo_support plugin which I expect to publish in a couple of weeks, with the target of making the use of dojo+rails+RDJS(Rails Dojo Javascript) as easy as prototype+sriptaculous+RJS.Greetings everyone. Gabriel Medina.
