I am sending some very simple ajax post and patch requests via javascript in my application. The functionality is fine, works as intended. However, I do not see the authenticity token in the ajax request params and it still works.
$.ajax({
type:'PATCH',
url: '/dashboard/goals/#{@goal.id}.js',
data: $.param({
new_invitation: {
recipient_id: recId,
type: "GoalInvite",
user_id : #{current_user.id}
}
})
});
and the params appear as follows in the log -
Parameters: {"new_invitation"=>{"recipient_id"=>"24", "type"=>"GoalInvite", "user_id"=>"23"}, "id"=>"234"}
no authenticity token. I think I know how I could add it in, but I am surprised that it even works without it. Can anyone shed some light on this?
If you inspect the request object you'll (hopefully) see that there's a request header named HTTP_X_CSRF_TOKEN that contains the authenticity token. The jquery_ujs library takes care of this for you so you dont have to include the token in AJAX requests manually.