Debug CSRF issues temporarily

2021-03-10 13:50:35 +01:00
parent 293f7f6df7
commit a174d75a47
4 changed files with 16 additions and 1 deletions
--- a/app/assets/javascripts/editor/ajax.js
+++ b/app/assets/javascripts/editor/ajax.js
@ -12,6 +12,11 @@ CodeOceanEditorAJAX = {
    $.flash.danger({
      text: message.length > 0 ? message : $('#flash').data('message-failure')
    });
+    Sentry.setContext("error",{
+        cookie: document.cookie,
+        response: response.responseText,
+        csrf: $('meta[name="csrf-token"]').attr("content")
+    });
    Sentry.captureException(JSON.stringify(response));
  }
 };
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -10,6 +10,7 @@ class ApplicationController < ActionController::Base
  before_action :set_sentry_context, :set_locale, :allow_iframe_requests, :load_embed_options
  protect_from_forgery(with: :exception, prepend: true)
  rescue_from Pundit::NotAuthorizedError, with: :render_not_authorized
+  rescue_from ActionController::InvalidAuthenticityToken, with: :render_csrf_error

  def current_user
    ::NewRelic::Agent.add_custom_attributes(external_user_id: session[:external_user_id], session_user_id: session[:user_id])
@ -32,6 +33,11 @@ class ApplicationController < ActionController::Base
  end
  private :set_sentry_context

+  def render_csrf_error
+    render json: {error: 'CSRF validation failed!!', status: :unprocessable_entity, request_cookies: cookies, session_csrf: session['_csrf_token'], request_csrf: request_authenticity_tokens }, status: :unprocessable_entity
+  end
+  private :render_csrf_error
+
  def render_not_authorized
    respond_to do |format|
      format.html do
--- a/app/views/layouts/application.html.slim
+++ b/app/views/layouts/application.html.slim
@ -27,6 +27,10 @@ html lang="#{I18n.locale || I18n.default_locale}"
        |      release: "#{Sentry.configuration.release}",
        |      environment: "#{Sentry.configuration.environment}",
        |  });
+        | Sentry.setContext("initial",{
+        |      cookie: document.cookie,
+        |      csrf: $('meta[name="csrf-token"]').attr("content")
+        |  });
        - if @current_user
          | Sentry.configureScope(function(scope) {
          |   scope.setUser({
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@ -1,3 +1,3 @@
 # Be sure to restart your server when you modify this file.

-Rails.application.config.session_store :cookie_store, key: '_code_ocean_session'
+Rails.application.config.session_store :cookie_store, key: '_code_ocean_session', httponly: false