FIX: BAD CSRF on login. Don't check csrf in the fake login form since it doesn't actually do anything.

app/assets/javascripts/discourse/controllers/login_controller.js

@@ -56,7 +56,6 @@ Discourse.LoginController = Discourse.Controller.extend(Discourse.ModalFunctiona
         $hidden_login_form.find('input[name=username]').val(loginController.get('loginName'));
         $hidden_login_form.find('input[name=password]').val(loginController.get('loginPassword'));
         $hidden_login_form.find('input[name=redirect]').val(window.location.href);
-        $hidden_login_form.find('input[name=authenticity_token]').val($('meta[name=csrf-token]').attr('content'));
         $hidden_login_form.submit();
       }
 

app/controllers/static_controller.rb

@@ -1,6 +1,7 @@
 class StaticController < ApplicationController
 
   skip_before_filter :check_xhr, :redirect_to_login_if_required
+  skip_before_filter :verify_authenticity_token, only: [:enter]
 
   def show
 

app/views/layouts/application.html.erb

@@ -51,7 +51,6 @@
         <input name="username" type="text"     id="signin_username">
         <input name="password" type="password" id="signin_password">
         <input name="redirect" type="hidden">
-        <input name="authenticity_token" type="hidden" />
         <input type="submit" id="signin-button" value="Log In">
       </form>
     <% end %>