As mentioned in the [ documentation][1].
For Rails 5, note that `protect_from_forgery` is no longer prepended to the before_action chain, so if you have set authenticate_user before protect_from_forgery, your request will result in "Can't verify CSRF token authenticity." To resolve this, either change the order in which you call them, or use protect_from_forgery prepend: true.
I have used something like this and it works for me.
class WelcomeController < ::Base
protect_from_forgery with: :exception
before_action :authenticate_model!
end
[1]: https://github.com/plataformatec/#controller-filters-and-helpers
As it turns out, [Devise documentation][1] is quite revealing with regard to this error:
> For **Rails 5**, note that protect_from_forgery is no longer prepended to
> the **before_action** chain, so if you have set authenticate_user before
> **protect_from_forgery**, your request will result in "**Can't verify CSRF
> token authenticity.**" **To resolve this, either change the order in which
> you call them, or use protect_from_forgery prepend: true**.
The fix was to change code in my application controller from this:
protect_from_forgery with: :exception
To this:
protect_from_forgery prepend: true
This issue did not manifest itself until I attempted adding Audited or Paper Trail gems.
[1]: https://github.com/plataformatec/devise#controller-filters-and-helpers