Merge pull request #6326 from betagouv/main

2021-07-06-02
2021-07-06 17:35:33 +02:00 · 2021-07-06 17:35:33 +02:00 · 8405d6e4bf
commit 8405d6e4bf
parent 12ecafb67a b4b58aa20f
7 changed files with 82 additions and 15 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -2,6 +2,7 @@ class ApplicationController < ActionController::Base
  include TrustedDeviceConcern
  include Pundit
  include Devise::StoreLocationExtension
+  include ApplicationController::ErrorHandling

  MAINTENANCE_MESSAGE = 'Le site est actuellement en maintenance. Il sera à nouveau disponible dans un court instant.'

--- a/app/controllers/application_controller/error_handling.rb
+++ b/app/controllers/application_controller/error_handling.rb
@ -0,0 +1,29 @@
+module ApplicationController::ErrorHandling
+  extend ActiveSupport::Concern
+
+  included do
+    rescue_from ActionController::InvalidAuthenticityToken do
+      if cookies.count == 0
+        # When some browsers (like Safari) re-open a previously closed tab, they attempts
+        # to reload the page – even if it is a POST request. But in that case, they don’t
+        # sends any of the cookies.
+        #
+        # Ignore this error.
+        render plain: "Les cookies doivent être activés pour utiliser #{APPLICATION_NAME}.", status: 403
+      else
+        log_invalid_authenticity_token_error
+        raise # propagate the exception up, to render the default exception page
+      end
+    end
+  end
+
+  def log_invalid_authenticity_token_error
+    Sentry.with_scope do |temp_scope|
+      tags = {
+        action: "#{self.class.name}#{action_name}"
+      }
+      temp_scope.set_tags(tags)
+      Sentry.capture_message("ActionController::InvalidAuthenticityToken")
+    end
+  end
+end
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@ -81,18 +81,6 @@ class Users::SessionsController < Devise::SessionsController
  private

  def handle_unverified_request
-    log_invalid_authenticity_token_error
    super
  end
-
-  def log_invalid_authenticity_token_error
-    Sentry.with_scope do |temp_scope|
-      tags = {
-        request_tokens: request_authenticity_tokens.compact.map { |t| t.gsub(/.....$/, '*****') }.join(', '),
-        session_token: session[:_csrf_token]&.gsub(/.....$/, '*****')
-      }
-      temp_scope.set_tags(tags)
-      Sentry.capture_message("ActionController::InvalidAuthenticityToken in Users::SessionsController")
-    end
-  end
 end
--- a/app/javascript/components/shared/hooks.js
+++ b/app/javascript/components/shared/hooks.js
@ -4,7 +4,7 @@ export function useDeferredSubmit(input) {
  const calledRef = useRef(false);
  const awaitFormSubmit = useCallback(
    (callback) => {
-      const form = input.form;
+      const form = input?.form;
      if (!form) {
        return;
      }
--- a/app/models/procedure.rb
+++ b/app/models/procedure.rb
@ -55,6 +55,7 @@ class Procedure < ApplicationRecord
  MAX_DUREE_CONSERVATION = 36
  MAX_DUREE_CONSERVATION_EXPORT = 3.hours

+  MIN_WEIGHT = 350000
  has_many :revisions, -> { order(:id) }, class_name: 'ProcedureRevision', inverse_of: :procedure
  belongs_to :draft_revision, class_name: 'ProcedureRevision', optional: false
  belongs_to :published_revision, class_name: 'ProcedureRevision', optional: true
@ -684,7 +685,7 @@ class Procedure < ApplicationRecord
        .where(type: Champs::PieceJustificativeChamp.to_s, dossier: dossiers_sample)
        .sum('active_storage_blobs.byte_size')

-      total_size / dossiers_sample.length
+      MIN_WEIGHT + total_size / dossiers_sample.length
    else
      nil
    end
--- a/spec/controllers/application_controller/error_handling_spec.rb
+++ b/spec/controllers/application_controller/error_handling_spec.rb
@ -0,0 +1,48 @@
+RSpec.describe ApplicationController::ErrorHandling, type: :controller do
+  controller(ActionController::Base) do
+    include ApplicationController::ErrorHandling
+
+    def invalid_authenticity_token
+      raise ActionController::InvalidAuthenticityToken
+    end
+  end
+
+  before do
+    routes.draw { post 'invalid_authenticity_token' => 'anonymous#invalid_authenticity_token' }
+  end
+
+  describe 'handling ActionController::InvalidAuthenticityToken' do
+    let(:request_cookies) do
+      { 'some_cookie': true }
+    end
+
+    before { cookies.update(request_cookies) }
+
+    it 'logs the error' do
+      allow(Sentry).to receive(:capture_message)
+      post :invalid_authenticity_token rescue nil
+      expect(Sentry).to have_received(:capture_message)
+    end
+
+    it 'forwards the error upwards' do
+      expect { post :invalid_authenticity_token }.to raise_error(ActionController::InvalidAuthenticityToken)
+    end
+
+    context 'when Safari retries a POST request without cookies' do
+      let(:request_cookies) do
+        {}
+      end
+
+      it 'returns a message' do
+        post :invalid_authenticity_token
+
+        expect(response).to have_http_status(403)
+        expect(response.body).to include('cookies')
+      end
+
+      it 'renders the standard exception page' do
+        expect { post :invalid_authenticity_token }.not_to raise_error
+      end
+    end
+  end
+end
--- a/spec/models/procedure_spec.rb
+++ b/spec/models/procedure_spec.rb
@ -1026,7 +1026,7 @@ describe Procedure do
    end

    it 'estimates average dossier weight' do
-      expect(procedure.reload.average_dossier_weight).to eq 5
+      expect(procedure.reload.average_dossier_weight).to eq(5 + Procedure::MIN_WEIGHT)
    end
  end