ActionController::InvalidAuthenticityToken on sign-in failure

[pschrammel]

Rails 8.1.2
Ruby 3.3.6
Devise 4.9.4

Behaviour

When providing a wrong password on login the application throws a ActionController::InvalidAuthenticityToken exception.

Expected

Show errors in the form

Details

Request Parameters:

{"authenticity_token"=>"[FILTERED]", "account"=>{"email"=>"[FILTERED]", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Log in", "locale"=>"de"}`

Tried

• disabled unpoly (removed up-main and up up-viewport)
• tried Devise::FailureApp is not compatible with Rails 7.1 csrf_token_storage #5698
• config.clean_up_csrf_token_on_authentication = false

[carlosantoniodasilva]

This similar error has been reported multiple times over the years, and it was almost never proven to be a Devise issue from what I understand: https://github.com/heartcombo/devise/issues?q=is%3Aissue%20state%3Aclosed%20InvalidAuthenticityToken

I'm happy to take a better look, but I'd need a sample app showing the issue to help debug this.

Also please note: it's recommended to update to Devise v5 for better Rails 8+ support.

[pschrammel]

Thx for the quick response. I read all the old tickets....

I think i found a solution:

in the application controller I've set:
protect_from_forgery with: :null_session

I think in Rails 8 the default is :exception. I think this is still a workaround. I will try to debug things further.