Merge pull request #10098 from colinux/dont-report-every-invalid-auth-token

Tech: ne remonte plus que 10% des InvalidAuthenticityToken errors

app/controllers/application_controller/error_handling.rb

@@ -5,10 +5,12 @@ module ApplicationController::ErrorHandling
     rescue_from ActionController::InvalidAuthenticityToken do
       # When some browsers (like Safari) re-open a previously closed tab, they attempts
       # to reload the page – even if it is a POST request. But in that case, they don’t
-      # sends any of the cookies.
+      # sends any of the cookies and we don’t report this error.
       #
-      # In that case, don’t report this error.
+      # There are dozens of these "errors" every day,
-      if request.cookies.count > 0
+      # we only log them to detect massive attacks or global errors
+      # without having thousands reports.
+      if request.cookies.any? && rand(10) == 0
         log_invalid_authenticity_token_error
       end
 

spec/controllers/application_controller/error_handling_spec.rb

@@ -16,7 +16,10 @@ RSpec.describe ApplicationController::ErrorHandling, type: :controller do
       { 'some_cookie': true }
     end
 
-    before { cookies.update(request_cookies) }
+    before do
+      cookies.update(request_cookies)
+      allow(controller).to receive(:rand).and_return(0)
+    end
 
     it 'logs the error' do
       allow(Sentry).to receive(:capture_message)