puzzle-scoreboard/app/controllers/messages_controller.rb

class MessagesController < ApplicationController
  allow_unauthenticated_access
  skip_before_action :verify_authenticity_token

  def create
    skip_authorization

    @message_params = message_params
    @contest = Contest.find_by_token_for(:token, params[:token])
    @message = Message.new(text: params[:text], time_seconds: params[:time_seconds], contest: @contest)
    if @contest && @message.save
      respond_to do |format|
        format.json  { render json: {}, status: 200 }
      end
    else
      respond_to do |format|
        format.json  { render json: { error: "invalid contest token" }, status: 400 }
      end
    end
  end

  def message_params
    params.expect(message: [ :text, :time_seconds, :token ])
  end
end