app: improve InvalidAuthenticityToken logging

- Log on all controllers
- Improve description of the controller action involved
- Ignore Safari bogus requests
This commit is contained in:
Pierre de La Morinerie 2021-07-06 10:34:23 +00:00
parent 50ebd6d17a
commit 09933454ff
4 changed files with 78 additions and 12 deletions

View file

@ -2,6 +2,7 @@ class ApplicationController < ActionController::Base
include TrustedDeviceConcern
include Pundit
include Devise::StoreLocationExtension
include ApplicationController::ErrorHandling
MAINTENANCE_MESSAGE = 'Le site est actuellement en maintenance. Il sera à nouveau disponible dans un court instant.'

View file

@ -0,0 +1,29 @@
module ApplicationController::ErrorHandling
extend ActiveSupport::Concern
included do
rescue_from ActionController::InvalidAuthenticityToken do
if cookies.count == 0
# When some browsers (like Safari) re-open a previously closed tab, they attempts
# to reload the page even if it is a POST request. But in that case, they dont
# sends any of the cookies.
#
# Ignore this error.
render plain: "Les cookies doivent être activés pour utiliser #{APPLICATION_NAME}.", status: 403
else
log_invalid_authenticity_token_error
raise # propagate the exception up, to render the default exception page
end
end
end
def log_invalid_authenticity_token_error
Sentry.with_scope do |temp_scope|
tags = {
action: "#{self.class.name}#{action_name}"
}
temp_scope.set_tags(tags)
Sentry.capture_message("ActionController::InvalidAuthenticityToken")
end
end
end

View file

@ -81,18 +81,6 @@ class Users::SessionsController < Devise::SessionsController
private
def handle_unverified_request
log_invalid_authenticity_token_error
super
end
def log_invalid_authenticity_token_error
Sentry.with_scope do |temp_scope|
tags = {
request_tokens: request_authenticity_tokens.compact.map { |t| t.gsub(/.....$/, '*****') }.join(', '),
session_token: session[:_csrf_token]&.gsub(/.....$/, '*****')
}
temp_scope.set_tags(tags)
Sentry.capture_message("ActionController::InvalidAuthenticityToken in Users::SessionsController")
end
end
end

View file

@ -0,0 +1,48 @@
RSpec.describe ApplicationController::ErrorHandling, type: :controller do
controller(ActionController::Base) do
include ApplicationController::ErrorHandling
def invalid_authenticity_token
raise ActionController::InvalidAuthenticityToken
end
end
before do
routes.draw { post 'invalid_authenticity_token' => 'anonymous#invalid_authenticity_token' }
end
describe 'handling ActionController::InvalidAuthenticityToken' do
let(:request_cookies) do
{ 'some_cookie': true }
end
before { cookies.update(request_cookies) }
it 'logs the error' do
allow(Sentry).to receive(:capture_message)
post :invalid_authenticity_token rescue nil
expect(Sentry).to have_received(:capture_message)
end
it 'forwards the error upwards' do
expect { post :invalid_authenticity_token }.to raise_error(ActionController::InvalidAuthenticityToken)
end
context 'when Safari retries a POST request without cookies' do
let(:request_cookies) do
{}
end
it 'returns a message' do
post :invalid_authenticity_token
expect(response).to have_http_status(403)
expect(response.body).to include('cookies')
end
it 'renders the standard exception page' do
expect { post :invalid_authenticity_token }.not_to raise_error
end
end
end
end