Any post requests to /webhooks/mailgun are returned an HTTP 422, and the server logs show an ActionController::InvalidAuthenticityToken error. This was tested on a new installation with no plugins.
This first started around the middle of May looking at logs from my main forum.
pfaffman
May 30, 2022, 11:56am
2
Are you sure that the API key is valid?
Yeah I’ve checked the key and it’s definitely valid.
I don’t really think it has anything to do over whether they key is valid or not (unless an invalid key causes a csrf error for some reason)
znedw
June 10, 2022, 12:55am
6
Anyone else get this when trying to confirm the SNS subscription?
details info:
ActionController::InvalidAuthenticityToken (Can't verify CSRF token authenticity.)
lib/middleware/omniauth_bypass_middleware.rb:71:in `call'
lib/content_security_policy/middleware.rb:12:in `call'
lib/middleware/anonymous_cache.rb:368:in `call'
config/initializers/008-rack-cors.rb:25:in `call'
config/initializers/100-quiet_logger.rb:23:in `call'
config/initializers/100-silence_logger.rb:31:in …
same issue here with the aws webhook, i’m on build 99b0578b4ce
david
June 13, 2022, 2:38pm
8
Thanks for the PR @Wolftallemo - I just merged it and added some extra info in the commit message:
committed 02:36PM - 13 Jun 22 UTC
The `WebhookController` inherits directly from `ActionController::Base`. Since R… ails 5.2, forgery protection has been enabled by default. When we applied those new defaults in 0403a8633bdedfe497ec3e2fe5d03e17940d6f16, it took effect on this controller and broke integrations.
This commit explicitly disables CSRF protection on these webhook routes, and updates the specs so they'll catch this kind of regression in future.
6 Likes
david
June 20, 2022, 7:00am
9
This topic was automatically closed after 6 days. New replies are no longer allowed.
