Merge pull request #6325 from betagouv/improve-csrf-logging-again

Erreurs ActionController::InvalidAuthenticityToken : lorsqu'il n'y a pas de cookies, la page d'erreur par défaut est affichée (#6325)

app/controllers/application_controller/error_handling.rb

@@ -3,19 +3,20 @@ module ApplicationController::ErrorHandling
 
   included do
     rescue_from ActionController::InvalidAuthenticityToken do
-      if cookies.count == 0
       # When some browsers (like Safari) re-open a previously closed tab, they attempts
       # to reload the page – even if it is a POST request. But in that case, they don’t
       # sends any of the cookies.
       #
-        # Ignore this error.
+      # In that case, don’t report this error.
-        render plain: "Les cookies doivent être activés pour utiliser #{APPLICATION_NAME}.", status: 403
+      if request.cookies.count > 0
-      else
         log_invalid_authenticity_token_error
+      end
+
       raise # propagate the exception up, to render the default exception page
     end
   end
-  end
+
+  private
 
   def log_invalid_authenticity_token_error
     Sentry.with_scope do |temp_scope|

spec/controllers/application_controller/error_handling_spec.rb

@@ -33,15 +33,10 @@ RSpec.describe ApplicationController::ErrorHandling, type: :controller do
         {}
       end
 
-      it 'returns a message' do
+      it 'doesn’t log the error' do
-        post :invalid_authenticity_token
+        allow(Sentry).to receive(:capture_message)
-
+        post :invalid_authenticity_token rescue nil
-        expect(response).to have_http_status(403)
+        expect(Sentry).not_to have_received(:capture_message)
-        expect(response.body).to include('cookies')
-      end
-
-      it 'renders the standard exception page' do
-        expect { post :invalid_authenticity_token }.not_to raise_error
       end
     end
   end