Merge branch 'dm-api-csrf-token-verification' into 'master'

Add log messages to clarify log messages about API CSRF token verification failure Closes #35705 See merge request !13158
author: Sean McGivern <sean@mcgivern.me.uk> 2017-07-28 17:39:36 +0300
committer: Sean McGivern <sean@mcgivern.me.uk> 2017-07-28 17:39:36 +0300
commit: bd2b68d73ed01c8289ccbb7d4446c9474e817481 (patch)
tree: c176a9e7570ac630b350f90e5b31fe695911ccd8
parent: 48c51e207e4cba8a69e4ca65cba1e169d384cefa (diff)
parent: d020eabf2938858830125ace467b13695eb85962 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/gitlab/request_forgery_protection.rb b/lib/gitlab/request_forgery_protection.rb
index 48dd0487790..ccfe0d6bed3 100644
--- a/lib/gitlab/request_forgery_protection.rb
+++ b/lib/gitlab/request_forgery_protection.rb
@@ -7,6 +7,14 @@ module Gitlab
     class Controller < ActionController::Base
       protect_from_forgery with: :exception
 
+      rescue_from ActionController::InvalidAuthenticityToken do |e|
+        logger.warn "This CSRF token verification failure is handled internally by `GitLab::RequestForgeryProtection`"
+        logger.warn "Unlike the logs may suggest, this does not result in an actual 422 response to the user"
+        logger.warn "For API requests, the only effect is that `current_user` will be `nil` for the duration of the request"
+
+        raise e
+      end
+
       def index
         head :ok
       end
author	Sean McGivern <sean@mcgivern.me.uk>	2017-07-28 17:39:36 +0300
committer	Sean McGivern <sean@mcgivern.me.uk>	2017-07-28 17:39:36 +0300
commit	bd2b68d73ed01c8289ccbb7d4446c9474e817481 (patch)
tree	c176a9e7570ac630b350f90e5b31fe695911ccd8
parent	48c51e207e4cba8a69e4ca65cba1e169d384cefa (diff)
parent	d020eabf2938858830125ace467b13695eb85962 (diff)