I’m unassigning myself from this for now, but would like to leave it open as a place to track any future “BAD CSRF” errors in case they continue to occur.
From digging into this I realized that most of the BAD CSRF errors came from before we switched to header based authentication via the API.
Pre-header based auth, if the json request was malformed in some way we couldn’t read the API_KEY out of the paremeters and so we couldn’t detect if the request was an actual API request on this line in the application controller:
unless is_api? || is_user_api?
and so we would just return:
render plain: "[\"BAD CSRF\"]", status: 403
But now that API credentials are almost always in the HTTP Header of the request we can determine that the request is actually an API request with much better accuracy than before and so the “BAD CSRF” error shouldn’t show up as frequently anymore.