Redirect to referer during most CSRF errors #1866
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
monfresh
requested review from
jmhooper,
tbaxter-18f,
RyanSibley and
nickbristow
|
Using the table in the CSRF documentation I wrote, I verified this works as expected for all LOA1 screens. |
tbaxter-18f
approved these changes
Dec 12, 2017
jmhooper
approved these changes
Dec 12, 2017
monfresh
force-pushed
the
mb-preserve-request-id-after-csrf-error
branch
from
535d066 to
d399e7f
Compare
**Why**: Signing the user out and redirecting them to the sign in page is not helpful when they encounter a CSRF error. For example, if they get a CSRF error while creating their password for the first time during account creation, they might not know what they should do to get back to the password creation screen. Instead, we should try to redirect back to where they were so they can try again. One exception is on the personal key screen. Due to the way the feature works, we can't take the user back to the personal key screen without modifying the session and regenerating a new key for them. We don't want to make any state changes as a result of a CSRF error for security reasons. Instead, we sign them out and redirect to the sign in screen. `Users::SessionsController` also has its own way of rescuing the CSRF error because the only way I could get the flash message to appear was to call `sign_out`, and we don't want to call `sign_out` in `ApplicationController`. Also, in order to preserve the `request_id` (so that users can go back to the SP), we need to use `redirect_back`, whereas in the Personal Keys controllers, we don't want to redirect back. This PR also enables the Devise `unauthenticated` error message in the scenario where a user tries to access a page that requires authentication while the user is signed out. We capture that flash message in analytics in order to see whether most people are getting CSRF errors while signed in or if they try to submit a form after their session has timed out or somehow got dropped by the browser.
monfresh
force-pushed
the
mb-preserve-request-id-after-csrf-error
branch
from
d399e7f to
0546d55
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why: Signing the user out and redirecting them to the sign in
page is not helpful when they encounter a CSRF error. For example,
if they get a CSRF error while creating their password for the first
time during account creation, they might not know what they should
do to get back to the password creation screen.
Instead, we should try to redirect back to where they were so they can
try again. One exception is on the personal key screen. Due to the way
the feature works, we can't take the user back to the personal key
screen without modifying the session and regenerating a new key for
them. We don't want to make any state changes as a result of a CSRF
error for security reasons. Instead, we sign them out and redirect
to the sign in screen.
Users::SessionsControlleralso has its own way of rescuing theCSRF error because the only way I could get the flash message to
appear was to call
sign_out, and we don't want to callsign_outin
ApplicationController. Also, in order to preserve therequest_id(so that users can go back to the SP), we need to use
redirect_back,whereas in the Personal Keys controllers, we don't want to redirect
back.
Hi! Before submitting your PR for review, and/or before merging it, please
go through the following checklist:
For DB changes, check for missing indexes, check to see if the changes
affect other apps (such as the dashboard), make sure the DB columns in the
various environments are properly populated, coordinate with devops, plan
migrations in separate steps.
For route changes, make sure GET requests don't change state or result in
destructive behavior. GET requests should only result in information being
read, not written.
For encryption changes, make sure it is compatible with data that was
encrypted with the old code.
Do not disable Rubocop or Reek offenses unless you are absolutely sure
they are false positives. If you're not sure how to fix the offense, please
ask a teammate.
When reading data, write tests for nil values, empty strings,
and invalid formats.
When calling
redirect_toin a controller, use_url, not_path.When adding user data to the session, use the
user_sessionhelperinstead of the
sessionhelper so the data does not persist beyond the user'ssession.