Replacing Rodauth's authentication templates

I’m building a workout app called https://tectonicplates.app. I wanted to add authentication to the app, so I incorporated Rodauth, a gem from the creator of Roda.

 

It comes with default templates for login, logout, create an account, etc. But those views use Bootstrap tags, and I’m using Tailwind in my project instead. So I wanted to replace the default templates with custom templates.

 

I ran the rodauth.login_view method to grab the HTML for the default view. I coped the HTML generated from that method, and decoded it. I copied and pasted that HTML into a login.erb file in the /views/ directory. Rodauth immediately picked it up and used it as the login page.

 

Problem

 

I tried logging in using my new page, but got an error.

 

Roda::RodaPlugins::RouteCsrf::InvalidToken at /login"

 

CSRF Error with Rodauth

 

This error is coming from this line:

 

<input type="hidden" name="_csrf" 
value="RCc5iYNpPhXN" />

 

My hunch is that I need to replace the value of the CSRF token with one that is generated on the fly. I’m guessing there is some sort of method that Rodauth uses to generate these tokens.

 

I couldn’t find anything in the documentation about how to generate a csrf token. I saw info about switching to Rack’s CSRF features, but not about how to generate a token.

 

My first try was replacing the token with csrf_token but that didn’t work.

 

 

Roda::RodaPlugins::RouteCsrf::InvalidToken at /login
decoded token is not valid for request method and path (Roda::RodaPlugins::RouteCsrf::InvalidToken)

 

My second try was replacing the entire input line with csrf_tag since it generates the html.

 

But then I got the same error as the one I started with:

 

Roda::RodaPlugins::RouteCsrf::InvalidToken at /login
decoded token is not valid for request method and path (Roda::RodaPlugins::RouteCsrf::InvalidToken)

 

None of the other options looked helpful, after looking through the output of each one.

CSRF methods

 

My third idea was to see if there was a Rodauth sample app somewhere, and I could copy the code to generate the token from there.

 

The rodauth-rails gem has an example app, but it didn’t create any tokens on the page.

 

Solution

 

In the end, the solution was to use rodauth.csrf_token .
Subscribe to updates