Can't verify CSRF token authenticity when using prepend_before_action

I have the following application controller. I recently added the set_customer which I want to execute before the authorize part. The prepend_before_action does that perfectly. However as soon as I add that line I'm getting this error: Can't verify CSRF token authenticity

The current_user isn't nil, so when I debug it goes right over the set_customer part and straight into the authorize method. When I remove the prepend_before_action line it works again. How can I fix this (while keeping the CSRF protection of course.

Maybe important to mention: I'm also using devise. The error comes on Devise::SessionsController#create

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception, prepend: true
  before_action :authorize
  prepend_before_action :authorize, :set_customer

  def authorize
    if current_permission.allow?(params[:controller], params[:action], current_resource)
      current_permission.permit_params! params
      raise Permission::NotAuthorized

  def set_customer
    if current_user.nil?
      # some unimportant code since current_user isn't nil

1 answer

  • answered 2018-02-13 00:26 Josh

    Have you tried moving protect_from_forgery below prepend_before_action? One of the suggestions on the Devise GitHub for the CSRF error is to change the order you call them, or add prepend to the p_f_p. To my understanding, prepend sets the thing being prepended to index 0. That would be putting your authorize call before your p_f_p call in execution.