Merge branch 'dm-api-csrf-token-verification' into 'master'

Add log messages to clarify log messages about API CSRF token verification failure Closes #35705 See merge request !13158

Merge branch 'dm-api-csrf-token-verification' into 'master'
Add log messages to clarify log messages about API CSRF token verification failure Closes #35705 See merge request !13158
bd2b68d7 · Sean McGivern · 48c51e20 · d020eabf · bd2b68d7
Commit bd2b68d7 authored Jul 28, 2017 by Sean McGivern
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

lib/gitlab/request_forgery_protection.rb lib/gitlab/request_forgery_protection.rb +8 -0

No files found.
--- a/lib/gitlab/request_forgery_protection.rb
+++ b/lib/gitlab/request_forgery_protection.rb
@@ -7,6 +7,14 @@ module Gitlab
    class Controller < ActionController::Base
      protect_from_forgery with: :exception
+      rescue_from ActionController::InvalidAuthenticityToken do |e|
+        logger.warn "This CSRF token verification failure is handled internally by `GitLab::RequestForgeryProtection`"
+        logger.warn "Unlike the logs may suggest, this does not result in an actual 422 response to the user"
+        logger.warn "For API requests, the only effect is that `current_user` will be `nil` for the duration of the request"
+        raise e
+      end
      def index
        head :ok
      end