Errbit can't verify CSRF token authenticity for all POST requests

[camerondrysdale]

We've just upgraded our Errbit app from 0.6.0 to the latest version and we're finding that every POST request is throwing an exception that the CSRF token is invalid...

Example from the logs:

Processing by Devise::SessionsController#new as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"iyoHKsD5c68Vk0rsiOG/oaNt+jauqy/IUIYK3GVFCnRikVDd9fFntyFBS2noPlKke27qw18yHw7MPpuglIMrdg==", "user"=>{"email"=>"test@test.com", "password"=>"[FILTERED]", "remember_me"=>"0"}}
Can't verify CSRF token authenticity.

It's not clear why this is happening as the SECRET_KEY_BASE is present, and we've confirmed that the form and csrf meta tags are all present in the code... it also works fine locally and worked before the upgrade...

The session_store also doesn't specify anything about domains (and didn't before):

Rails.application.config.session_store :cookie_store, key: '_errbit_session'

What could cause this to happen as we're a bit stuck as to what to check next.

[dmric]

Hi @camerondrysdale. Were you able to resolve this issue?

[dmric]

This commit to upgrade to Rails 5.0 https://github.com/errbit/errbit/commit/df2c0a6f8adc9190547d9c1b9ffb0a3fc20f0941?diff=split introduced Rails.application.config.action_controller.forgery_protection_origin_check = true in file config/initializers/new_framework_defaults.rb which led to this issue when using nginx as a reverse proxy and not providing sufficient headers.

To fix this, i had to pass on more nginx headers as explained here https://github.com/rails/rails/issues/22965#issuecomment-172929004

upstream myapp {
  server              unix:///path/to/puma.sock;
}
...
location / {
  proxy_pass        http://myapp;
  proxy_set_header  Host $host;
  proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header  X-Forwarded-Proto $scheme;
  proxy_set_header  X-Forwarded-Ssl on; # Optional
  proxy_set_header  X-Forwarded-Port $server_port;
  proxy_set_header  X-Forwarded-Host $host;
}