SpringAll icon indicating copy to clipboard operation
SpringAll copied to clipboard
verified publisher icon wuyouzhuguli

Properly handle CSRF token fails via Ajax

Open svbergerem opened this issue 9 years ago • 1 comments

I tried this with likes and notifications.

Steps to reproduce:

  1. Sign in
  2. Open diaspora in a second tab
  3. Log out in the new tab and sign in again
  4. In the first tab a) Like: like a post b) Unlike: unlike a post c) Notifications: open the notification dropdown and mark a notification as read/unread

Expected result: You are redirected to the sign in page

Actual result: No visual changes for the user. But they receive an email telling them that they have been signed out.

Internally like, unlike and notifications don't fail in the same way.

For likes we make a post request and receive a 200 response with the sign in page. (via Ajax)

For unlike/notifications we make a delete/put request which is redirected to the sign in page. Then we receive a 404 response: ActionController::RoutingError (No route matches [DELETE] "/users/sign_in"

svbergerem avatar Feb 17 '17 19:02 svbergerem

This actually has an impact to the user, the flash error message renders the raw HTML of the log in page... See my investigation here: https://github.com/diaspora/diaspora/issues/7961#issuecomment-954209688

Flaburgan avatar Oct 28 '21 22:10 Flaburgan