-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gracefully handle invalid authenticity token #3442
Comments
The current override may not make much sense. The purpose of null session is to continue serving requests, if you are going to redirect, you may as well not use null session? Other than that, it looks fine. That's exactly the problem with null session, there will be code that assumes a session exists, and it will definitely break. On Devise and on your application. |
@josevalim thank you for your response and sorry for coming back to this, but let's document a best practice or a recommendation on this. The question would be: What's the recommendation for handling invalid authenticity tokens? My understanding is that there could be two flows:
I believe that code may assume a session exists, if measures are taken in order to ensure that a session actually exists. Since Devise already overrides In that case we are not limiting user choices since:
In that way, we could DRY this up and offer a general solution on this. I would be happy to write a PR for this, but I would face the following problems:
In my mind it would be easier if we could control the execution order in the What's your thoughts? |
In a vanilla Rails 4.1.9 installation with Devise 3.4.1 when
protect_from_forgery with: :null_session
is defined inApplicationController
in case of CSRF mismatch the following exception occurs:To replicate just head over to
/users/edit
form as a signed-in user and before submitting the form alter itsauthenticity_token
value.Probably this happens due to the execution order of the action filters, i.e.
:authenticate_scope!
is performed before:verify_authenticity_token
.My current solution was to override
handle_unverified_request
as follows:What is your opinion? Am I missing something?
The text was updated successfully, but these errors were encountered: