Merge pull request #6326 from betagouv/main

2021-07-06-02

app/controllers/application_controller.rb

@@ -2,6 +2,7 @@ class ApplicationController < ActionController::Base
   include TrustedDeviceConcern
   include Pundit
   include Devise::StoreLocationExtension
+  include ApplicationController::ErrorHandling
 
   MAINTENANCE_MESSAGE = 'Le site est actuellement en maintenance. Il sera à nouveau disponible dans un court instant.'
 

app/controllers/application_controller/error_handling.rb

@@ -0,0 +1,29 @@
+module ApplicationController::ErrorHandling
+  extend ActiveSupport::Concern
+
+  included do
+    rescue_from ActionController::InvalidAuthenticityToken do
+      if cookies.count == 0
+        # When some browsers (like Safari) re-open a previously closed tab, they attempts
+        # to reload the page – even if it is a POST request. But in that case, they don’t
+        # sends any of the cookies.
+        #
+        # Ignore this error.
+        render plain: "Les cookies doivent être activés pour utiliser #{APPLICATION_NAME}.", status: 403
+      else
+        log_invalid_authenticity_token_error
+        raise # propagate the exception up, to render the default exception page
+      end
+    end
+  end
+
+  def log_invalid_authenticity_token_error
+    Sentry.with_scope do |temp_scope|
+      tags = {
+        action: "#{self.class.name}#{action_name}"
+      }
+      temp_scope.set_tags(tags)
+      Sentry.capture_message("ActionController::InvalidAuthenticityToken")
+    end
+  end
+end

app/controllers/users/sessions_controller.rb

@@ -81,18 +81,6 @@ class Users::SessionsController < Devise::SessionsController
   private
 
   def handle_unverified_request
-    log_invalid_authenticity_token_error
     super
   end
-
-  def log_invalid_authenticity_token_error
-    Sentry.with_scope do |temp_scope|
-      tags = {
-        request_tokens: request_authenticity_tokens.compact.map { |t| t.gsub(/.....$/, '*****') }.join(', '),
-        session_token: session[:_csrf_token]&.gsub(/.....$/, '*****')
-      }
-      temp_scope.set_tags(tags)
-      Sentry.capture_message("ActionController::InvalidAuthenticityToken in Users::SessionsController")
-    end
-  end
 end

app/javascript/components/shared/hooks.js

@@ -4,7 +4,7 @@ export function useDeferredSubmit(input) {
   const calledRef = useRef(false);
   const awaitFormSubmit = useCallback(
     (callback) => {
-      const form = input.form;
+      const form = input?.form;
       if (!form) {
         return;
       }

app/models/procedure.rb

@@ -55,6 +55,7 @@ class Procedure < ApplicationRecord
   MAX_DUREE_CONSERVATION = 36
   MAX_DUREE_CONSERVATION_EXPORT = 3.hours
 
+  MIN_WEIGHT = 350000
   has_many :revisions, -> { order(:id) }, class_name: 'ProcedureRevision', inverse_of: :procedure
   belongs_to :draft_revision, class_name: 'ProcedureRevision', optional: false
   belongs_to :published_revision, class_name: 'ProcedureRevision', optional: true
@@ -684,7 +685,7 @@ class Procedure < ApplicationRecord
         .where(type: Champs::PieceJustificativeChamp.to_s, dossier: dossiers_sample)
         .sum('active_storage_blobs.byte_size')
 
-      total_size / dossiers_sample.length
+      MIN_WEIGHT + total_size / dossiers_sample.length
     else
       nil
     end

spec/controllers/application_controller/error_handling_spec.rb

@@ -0,0 +1,48 @@
+RSpec.describe ApplicationController::ErrorHandling, type: :controller do
+  controller(ActionController::Base) do
+    include ApplicationController::ErrorHandling
+
+    def invalid_authenticity_token
+      raise ActionController::InvalidAuthenticityToken
+    end
+  end
+
+  before do
+    routes.draw { post 'invalid_authenticity_token' => 'anonymous#invalid_authenticity_token' }
+  end
+
+  describe 'handling ActionController::InvalidAuthenticityToken' do
+    let(:request_cookies) do
+      { 'some_cookie': true }
+    end
+
+    before { cookies.update(request_cookies) }
+
+    it 'logs the error' do
+      allow(Sentry).to receive(:capture_message)
+      post :invalid_authenticity_token rescue nil
+      expect(Sentry).to have_received(:capture_message)
+    end
+
+    it 'forwards the error upwards' do
+      expect { post :invalid_authenticity_token }.to raise_error(ActionController::InvalidAuthenticityToken)
+    end
+
+    context 'when Safari retries a POST request without cookies' do
+      let(:request_cookies) do
+        {}
+      end
+
+      it 'returns a message' do
+        post :invalid_authenticity_token
+
+        expect(response).to have_http_status(403)
+        expect(response.body).to include('cookies')
+      end
+
+      it 'renders the standard exception page' do
+        expect { post :invalid_authenticity_token }.not_to raise_error
+      end
+    end
+  end
+end

spec/models/procedure_spec.rb

@@ -1026,7 +1026,7 @@ describe Procedure do
     end
 
     it 'estimates average dossier weight' do
-      expect(procedure.reload.average_dossier_weight).to eq 5
+      expect(procedure.reload.average_dossier_weight).to eq(5 + Procedure::MIN_WEIGHT)
     end
   end