Before process_action callback :verify_authenticity_token has not been defined

[ryankon]

I came across a similar issue that was previously fixed:
#40

After upgrading an app to Rails 7.1, I’m encountering a similar issue preventing my Cloud Run container from starting:
Before process_action callback :verify_authenticity_token has not been defined (ArgumentError)

I'm running the latest release (0.13.2)

Replacing skip_before_action :verify_authenticity_token with skip_forgery_protection here should resolve the issue:

cloudtasker/app/controllers/cloudtasker/worker_controller.rb

Line 7 in 03b2059

skip_before_action :verify_authenticity_token

Is there any reason not to make this change? I can submit a PR if that would be helpful.

[alachaum]

Hi @ryankon thanks for raising this issue. I'm going to do some checks on my side to see if I can reproduce it.

But I think you're right, using skip_forgery_protection is probably the way to go.

[alachaum]

Hey @ryankon ! Feel free to test master or v0.14.rc1

There are a couple of bug fixes from v0.14.rc1 that will be backported to v0.13 once the release candidate has been battle-tested (on top of the millions of jobs we've already run on this RC at Keypup 😁 )

[avesh-raising]

Hi @alachaum, I have been facing CSRF token authentication issue even after upgrading to v0.14.rc1

Started POST "/cloudtasker/run" for ::1
Processing by ApplicationController#not_found as */*
  Parameters: {"worker"=>"ActiveJob::QueueAdapters::CloudtaskerAdapter::JobWrapper", "job_queue"=>"Purchases", "job_id"=>"49799094-c8c8-4342-ba5d-b4251cac50de", "job_meta"=>{}, "job_args"=>[{"job_class"=>"BoxpayAuthorisationJob", "arguments"=>[{"_aj_globalid"=>"gid://pay-station/WebhookEvent/2"}], "exception_executions"=>{}, "locale"=>"en", "timezone"=>"UTC", "enqueued_at"=>"2024-09-25T09:44:25Z"}], "unmatched"=>"cloudtasker/run", "application"=>{"worker"=>"ActiveJob::QueueAdapters::CloudtaskerAdapter::JobWrapper", "job_queue"=>"Purchases", "job_id"=>"49799094-c8c8-4342-ba5d-b4251cac50de", "job_meta"=>{}, "job_args"=>[{"job_class"=>"BoxpayAuthorisationJob", "arguments"=>[{"_aj_globalid"=>"gid://pay-station/WebhookEvent/2"}], "exception_executions"=>{}, "locale"=>"en", "timezone"=>"UTC", "enqueued_at"=>"2024-09-25T09:44:25Z"}]}}
Can't verify CSRF token authenticity.
Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms | Allocations: 466)



ActionController::InvalidAuthenticityToken (Can't verify CSRF token authenticity.):

actionpack (7.0.4.3) lib/action_controller/metal/request_forgery_protection.rb:251:in `handle_unverified_request'
actionpack (7.0.4.3) lib/action_controller/metal/request_forgery_protection.rb:284:in `handle_unverified_request'
devise (4.8.1) lib/devise/controllers/helpers.rb:255:in `handle_unverified_request'
actionpack (7.0.4.3) lib/action_controller/metal/request_forgery_protection.rb:273:in `verify_authenticity_token'
activesupport (7.0.4.3) lib/active_support/callbacks.rb:400:in `block in make_lambda'
activesupport (7.0.4.3) lib/active_support/callbacks.rb:199:in `block (2 levels) in halting'
actionpack (7.0.4.3) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
activesupport (7.0.4.3) lib/active_support/callbacks.rb:200:in `block in halting'
...

My rails version is 7.0.4.3, ruby version is 3.3.0
I expected this version to solve CSRF issue but still facing it

[ryankon]

Thanks for making this change so quickly @alachaum. We've pushed v0.14.rc1 into production and it seems to be working well!

@avesh-raising Looks like your issue is being triggered via an interaction with Devise. It appears you are running 4.8.1, which is almost 3 years old. It might be resolved by upgrading to the latest?

[avesh-raising]

Thanks for making this change so quickly @alachaum. We've pushed v0.14.rc1 into production and it seems to be working well!

@avesh-raising Looks like your issue is being triggered via an interaction with Devise. It appears you are running 4.8.1, which is almost 3 years old. It might be resolved by upgrading to the latest?

Upgrading devise to 4.9.4 did not resolve this issue. Is there any information I can provide to resolve this issue?

I have successfully deployed one of my microservice on GCP App Engine along with a dedicated worker instance. Both microservice and worker instance are API-only and since Rails does not add CSRF bells and whistles to API-only applications, that setup is working fine.
However, when I am trying to run the same setup for a RoR application which has views and all the javascript/HTML/CSS to go along with it, and thus having CSRF protections in place by default by RoR, I am facing this issue on my worker instance.

[ryankon]

@avesh-raising This looks like a Devise config issue to me that's unrelated to Cloudtasker.

As you can see here: https://github.com/keypup-io/cloudtasker/blob/v0.14.rc1/app/controllers/cloudtasker/worker_controller.rb, forgery protection is being skipped, and the controller does not inherit off ApplicationController.

Your error shows that a Devise verification is interrupting the request. Do you have Devise globally configured to intercept all requests?

[alachaum]

@avesh-raising if by any chance you can extract a minimal subset of your application (the gems, Cloudtasker, Devise, some of the routes and controllers, without any proprietary business logic) that reproduces the issue and then publish it on GitHub, it will help us check what's happening.

I believe @ryankon is right. Devise is probably putting an additional layer on top of the regular Rails layer. So we might need to disable Devise for some of the routes. If we find out the exact configuration to specify for Devise, I'll update the Cloudtasker docs to mention it.

[alachaum]

@avesh-raising just checking if you have been able to resolve this issue. Was the problem related to Devise?