Mind Dump, Tech And Life Blog
written by Ivan Alenko
published under license CC4-BY
posted in category Software Development / Ruby on Rails
posted at 10. May '26

Howto Fix Form Method ActionController::InvalidAuthenticityToken

Today it is a case of an obscure error, but still caused by a mistake in a code.

So I made a form like this:

<%= form_with model: @import_bookmarks_form, url: import_plaintext_bookmarks_path, method: :create do |f| %>
....
<% end %>

while everything worked in tests, but when I tested manually, I got:

ActionController::InvalidAuthenticityToken (Can't verify CSRF token authenticity.):
  
actionpack (8.1.3) lib/action_controller/metal/request_forgery_protection.rb:321:in 'ActionController::RequestForgeryProtection::ProtectionMethods::Exception#handle_unverified_request'
actionpack (8.1.3) lib/action_controller/metal/request_forgery_protection.rb:415:in 'ActionController::RequestForgeryProtection#handle_unverified_request'
actionpack (8.1.3) lib/action_controller/metal/request_forgery_protection.rb:404:in 'ActionController::RequestForgeryProtection#verify_authenticity_token'
activesupport (8.1.3) lib/active_support/callbacks.rb:362:in 'block in ActiveSupport::Callbacks::CallTemplate::MethodCall#make_lambda'
activesupport (8.1.3) lib/active_support/callbacks.rb:179:in 'block in ActiveSupport::Callbacks::Filters::Before#call'
actionpack (8.1.3) lib/abstract_controller/callbacks.rb:36:in 'block (2 levels) in <module:Callbacks>'
activesupport (8.1.3) lib/active_support/callbacks.rb:180:in 'ActiveSupport::Callbacks::Filters::Before#call'
activesupport (8.1.3) lib/active_support/callbacks.rb:560:in 'block in ActiveSupport::Callbacks::CallbackSequence#invoke_before'
activesupport (8.1.3) lib/active_support/callbacks.rb:560:in 'Array#each'
.....

I dug around, lowered Ruby version, debugged request_forgery_protection.rb - where I found out that tokens really don't match and even asked an AI. But nothing helped. Then I started to simplify form helper to work only with the form object and then I solved the issue. :create as a value is incorrect for method and will cause the error.

This is a really shitty behavior as a token is generated for "create" verb, but a request goes to POST anyways and there is no method in params so that seems to be the reason they don't match.

  Parameters: {"authenticity_token" => "3FYp2xk-Dko54TtD7EZ2royFizQjIQEi5yR4bh47KPuuglubURoLp9k1qnbD2zpWpWWCBEjD0WP8oUPVCg8xFg", "import_plaintext_bookmarks_form" => {"folder_id" => "019e0049-5e49-7f7e-a612-ea883652db04", "content" => "fgdf"}, "commit" => "Add Bookmarks"}

I would expect the form_with helper to reject an incorrect value or get a controller error about unknown HTTP verb (maybe not since technically everything is GET or POST in forms, but Rails is able to set different verb internally).

All right, enough ranting, the correct solution is to remove method attribute or replace it with :post.

<%= form_with model: @import_bookmarks_form, url: import_plaintext_bookmarks_path do |f| %>
....
<% end %>

or

<%= form_with model: @import_bookmarks_form, url: import_plaintext_bookmarks_path, method: :post do |f| %>
....
<% end %>

And that's all...

Add Comment