Per the comments in the core application_controller.rb
, set protect_from_forgery
to the following:
protect_from_forgery with: :null_session
Alternatively, per the docs, simply declaring protect_from_forgery
without a :with
argument will utilize :null_session
by default:
protect_from_forgery # Same as above
UPDATE:
This seems to be a documented bug in the behavior of Devise. The author of Devise suggests disabling protect_from_forgery
on the particular controller action that’s raising this exception:
# app/controllers/users/registrations_controller.rb
class RegistrationsController < Devise::RegistrationsController
skip_before_filter :verify_authenticity_token, :only => :create
end