--- title: cURLing with Rails' Authenticity Token teaser: | How to use cURL to save Rails' authenticity token, and the POST to a Rails endpoint. tags: web,rails,news author: Dan Croak published_on: 2011-01-31 --- Our event, Developers Developers Developers Developers, is this weekend. When the amount of registrations reached the capacity of the venue, we removed the registration form from the website. However, we left the Rails route and controller around and encouraged students to register by reading the source code of the application and coding their way in. We pointed them to the staging app so they could practice before registering via the production app. ![D8 registration challenge](http://images.thoughtbot.com/ui/d8-registration-challenge.png) ## Rails' authenticity_token So we just need to POST to `/registrations` with the right params, right? Right. However, "the right params" needs to include Rails' [`authenticity_token`](http://stackoverflow.com/questions/941594/understand-rails-authenticity-token), which the framework [uses to combat CSRF](http://guides.rubyonrails.org/security.html#csrf-countermeasures). The payload also needs to include a cookie because the `authenticity_token` depends on it. ![Curling](http://images.thoughtbot.com/ui/curling.jpg) ## cURL So here's the cURL solution. Step 1: curl http://dddd-staging.heroku.com --cookie-jar cookie | grep csrf That will store the cookies in a file named "cookie" and print out the `authenticity_token` you need (it's the value of the content attribute on the csrf-token meta tag): ```html ``` Meanwhile, the contents of the cookies file looks like this: ```text # Netscape HTTP Cookie File # http://curl.haxx.se/rfc/cookie_spec.html # This file was generated by libcurl! Edit at your own risk. #HttpOnly_dddd-staging.heroku.com FALSE / FALSE 0 _dddd_session BAh7... ``` Step 2: curl http://dddd-staging.heroku.com/registrations --data "registration[name]=Dan Croak®istration[twitter]=croaky®istration[school_name]=Holy Cross®istration[role]=Developer&authenticity_token=sNMk592JV2wwHn6DPJ8C5oy/hHDnjIlZBOHyngtTbpQ=" --cookie cookie This adds the `authenticity_token` and also includes the cookie from the first request. The output will be the original HTML that we fetched and replaced on the page via Ajax when registration was still open:

![''](http://avatar.statusok.com/croaky?size=73)

Dan Croak

@croaky

Developer, Holy Cross

## Thanks for registering! We can't wait to see you **Follow @[thoughtbot](http://twitter.com/thoughtbot) and @[greenhornboston](http://twitter.com/greenhornboston) for updates** **We also invite you to join our private [mailing list](http://groups.google.com/group/developers-developers-developers-developers) for speakers and attending students** ## Another Approach: Using Web Inspector However, we're living in the future here, folks. It's 2011, and we've got a GUI for everything - no need to get Terminal all over your hands. ![This is a web browser, I know this](http://images.thoughtbot.com/ui/jurassic-park-unix-1.jpg "This is a web browser, I know this") So let's load the site normally in a web browser, view the HTML source to grab that authenticity token, insert a form into the DOM, then submit it. I'll be using Chrome and the WebKit Inspector here, but you could also use Firefox and the excellent [Firebug plugin](http://getfirebug.com). Step 1: Find the authenticity token Here I view the HTML source and look for the authenticity token in the `` element: ![Auth Token](http://images.thoughtbot.com/ui/d8-auth-token.jpg) Step 2: Insert a form into the HTML Here's the registration form that we'll add back into the page. I made sure to insert the right authenticity token: ```html ``` You can insert the form anywhere. Let's overwrite this paragraph: ![Edit HTML](http://images.thoughtbot.com/ui/d8-edit-html.jpg) Paste in the HTML: ![Pasted HTML](http://images.thoughtbot.com/ui/d8-pasted-html.jpg) Step 3: Submit the form Click submit, and you're off to the races. ![Form Success](http://images.thoughtbot.com/ui/d8-form-success.jpg) See you at the event!