Rails：已完成 401 未经授权

我收到此错误，但我不知道为什么。我特别排除了 CSRF 检查。这#webhook即使在生产中，该方法也有效。其他类似的问题是关于 Devise 的，但我没有在此控制器中使用 Devise。

class StripesController < ApplicationController
  Stripe.api_key = ENV['STRIPE_PRIVATE']
  protect_from_forgery :except => [:webhook, :create]
  
  def show
  end

  def create
    # Amount in cents
    @amount = params[:amount]
  
    customer = Stripe::Customer.create(
      :email => params[:stripeEmail],
      :source  => params[:stripeToken]
    )
  
    charge = Stripe::Charge.create(
      :customer    => customer.id,
      :amount      => @amount,
      :description => 'Membership Fee',
      :currency    => 'usd'
    )
  
    render :show
  rescue Stripe::CardError => e
    flash[:error] = e.message
    redirect_to stripe_path
  end

resource :stripe do

Started POST "/stripe/" for 127.0.0.1 at 2018-01-03 11:58:17 -0500
Processing by StripesController#create as HTML
  Parameters: {"amount"=>"100", "stripeToken"=>"tok_1BgFZ2IYOmXNPhc121HxNtw0", "stripeEmail"=>"[email protected] /cdn-cgi/l/email-protection"}
  Rendering stripes/show.haml within layouts/application
  Rendered stripes/show.haml within layouts/application (2.0ms)
  User Load (3.0ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = $1 ORDER BY "users"."id" ASC LIMIT $2  [["id", 1], ["LIMIT", 1]]
   (2.0ms)  BEGIN
   (1.0ms)  COMMIT
Completed 401 Unauthorized in 3533ms (ActiveRecord: 6.0ms)


Started GET "/" for 127.0.0.1 at 2018-01-03 11:58:21 -0500

Rails 默认开启:debug日志级别。http://guides.rubyonrails.org/v5.0/debugging_rails_applications.html#log-levels http://guides.rubyonrails.org/v5.0/debugging_rails_applications.html#log-levels

我能够通过设置重现它

config.timeout_in = 1.minute # 8.hours

如果我登录并处于活动状态，它工作正常，但如果会话超时，则会导致此 401 问题。

这是来自浏览器的请求/响应。它显示成功和 302 响应，而不是 401。但它在服务器控制台日志中显示 401。

POST /stripe/ HTTP/1.1
Host: localhost:3000
Connection: keep-alive
Content-Length: 82
Cache-Control: max-age=0
Origin: http://localhost:3000
Content-Type: application/x-www-form-urlencoded
...

HTTP/1.1 302 Found
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Location: http://localhost:3000/
Content-Type: text/html; charset=utf-8

浏览器网络日志中没有任何 401 响应，即使按状态排序，即使使用 Preserver Log。

导轨 5.0.2

HTTP 代码 401 未经授权用于身份验证（https://httpstatuses.com/401 https://httpstatuses.com/401）。它与CSRF无关。在这种情况下，它将引发 ActionController::InvalidAuthenticityToken。

我很确定您的 ApplicationController 中有一个 before_action 需要用户身份验证（或在 paths.rb 中，或在 nginx/Apache 的配置中）。