Merge pull request #6325 from betagouv/improve-csrf-logging-again

Erreurs ActionController::InvalidAuthenticityToken : lorsqu'il n'y a pas de cookies, la page d'erreur par défaut est affichée (#6325)
This commit is contained in:
Pierre de La Morinerie 2021-07-07 09:38:03 +02:00 committed by GitHub
commit 380d2c5efa
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 18 deletions

View file

@ -3,20 +3,21 @@ module ApplicationController::ErrorHandling
included do
rescue_from ActionController::InvalidAuthenticityToken do
if cookies.count == 0
# When some browsers (like Safari) re-open a previously closed tab, they attempts
# to reload the page even if it is a POST request. But in that case, they dont
# sends any of the cookies.
#
# Ignore this error.
render plain: "Les cookies doivent être activés pour utiliser #{APPLICATION_NAME}.", status: 403
else
# When some browsers (like Safari) re-open a previously closed tab, they attempts
# to reload the page even if it is a POST request. But in that case, they dont
# sends any of the cookies.
#
# In that case, dont report this error.
if request.cookies.count > 0
log_invalid_authenticity_token_error
raise # propagate the exception up, to render the default exception page
end
raise # propagate the exception up, to render the default exception page
end
end
private
def log_invalid_authenticity_token_error
Sentry.with_scope do |temp_scope|
tags = {

View file

@ -33,15 +33,10 @@ RSpec.describe ApplicationController::ErrorHandling, type: :controller do
{}
end
it 'returns a message' do
post :invalid_authenticity_token
expect(response).to have_http_status(403)
expect(response.body).to include('cookies')
end
it 'renders the standard exception page' do
expect { post :invalid_authenticity_token }.not_to raise_error
it 'doesnt log the error' do
allow(Sentry).to receive(:capture_message)
post :invalid_authenticity_token rescue nil
expect(Sentry).not_to have_received(:capture_message)
end
end
end