lundi 31 août 2015

Request - Response from php server to ruby on rails server. CSRF token issue

We are planning interaction between php script to ruby on rails server and vice-versa.

Whenever I do curl post data from php script, on rails server notifcation displays - "Can't verify CSRF token authenticity". I am passing authenticity_token in post parameters. We need to how to use this token in secure manner on rails server.

<?php


    class active_merchant{

        private $endpoint_url;                      // server address or url where data is to be posted.
        private $params;                            // form fields
        private $fields_count;                      // count of fields in credit card

        public function __construct(){

            $this->endpoint_url = "http://localhost:8080/activemerchant/index";
            $token = md5('random');
            $this->params = array('name'=>'test','authenticity_token'=>$token);

        }

        /*  function curl_post
            makes a curl post to the end point url
            global variables 
             */

        public function curl_post(){

            try{

                $ch = curl_init();
                curl_setopt($ch, CURLOPT_URL, $this->endpoint_url);
                curl_setopt($ch, CURLOPT_POST, 1);
                curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($this->params));
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json')); 
                $response = curl_exec($ch);

                print_r($response);
                //return $response;

            }catch(Exception $e){
                throw new Exception($e->getMessage(),$e->getCode(),$e->gtLine());
            }

        }

    }

    $active_merchant = new active_merchant();
    $active_merchant->curl_post();


?>      

Rails code -

class ActivemerchantController < ApplicationController
protect_from_forgery except: :index
  def index
    Rails.logger.debug params.inspect
    puts params.inspect
    self.response_body = "Hello, world!"
  end
end

Can anyone tell us how can we keep our authenticity_token random ,consistent and secure between two servers (php and ruby on rails).

Aucun commentaire:

Enregistrer un commentaire