Allow external ticket creation

We at pixelated implemented a new feature on our user-agent that allow users to provide feedback about their experience. Our solution was to create a interface inside user agent and save that message on the tickets page on leap web, since it's way easier manage that later.

The problem is that we cannot make a post request from the pixelated-user-agent to the leap web because we don't have the csrf token provided by rails.

We propose to disable this verification[1] on this especific controller given it doesn't require any authentication when creating tickets anonynously.

One of the problem raised was that removing the token would allow abuse on the form. But if someone want to flood that form, they just need to scrap the token from html.

Talking to meskio, he suggested that a better alternative would be create an API that allow external ticket creation. Our only concearn is how we are going to authenticate.

Our goal with this feedback feature is to identify bad user experiences, and this situations may happen when some of the components (soledad, leap_mail, key_manager, etc) are broken, so we don't want to rely on any of the information on this components to authenticate.

What do you think? Any concerns our suggestions to to any of this solutions?

[1] - http://stackoverflow.com/questions/23373329/rails-3-2-disable-csrf-protection-for-controller-action

(from redmine: created on 2015-09-24, closed on 2015-10-01)