Commit 027c3264 authored by Stan Hu's avatar Stan Hu

Guard against a login attempt with invalid CSRF token

If a user logs in with a bad CSRF token, the Warden before_logout
hook will be called with no valid user. This would lead to odd
Error 500 messages with a backtrace.

Addresses part of #50857
parent 4586d77c
---
title: Guard against a login attempt with invalid CSRF token
merge_request: 21934
author:
type: fixed
...@@ -31,6 +31,11 @@ Rails.application.configure do |config| ...@@ -31,6 +31,11 @@ Rails.application.configure do |config|
Warden::Manager.before_logout(scope: :user) do |user, auth, opts| Warden::Manager.before_logout(scope: :user) do |user, auth, opts|
user ||= auth.user user ||= auth.user
# Rails CSRF protection may attempt to log out a user before that
# user even logs in
next unless user
activity = Gitlab::Auth::Activity.new(opts) activity = Gitlab::Auth::Activity.new(opts)
tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth) tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment