search

anusharanganathan / data2paper

Rails helper application to submit data papers from repositories to publishers
7 stars 1 forks source link

Invalid authenticity error when updating a data paper #40

Open anusharanganathan opened 6 years ago

anusharanganathan commented 6 years ago

I see this error in Chrome and Opera. Not in Firefox This error appears with all POSTS, except when logging in using ORCID

To reproduce, login using admin login.

ActionController::InvalidAuthenticityToken in Hyrax::DataPapersController#update

Stack trace

actionpack (5.1.4) lib/action_controller/metal/request_forgery_protection.rb:195:in `handle_unverified_request'
actionpack (5.1.4) lib/action_controller/metal/request_forgery_protection.rb:227:in `handle_unverified_request'
devise (4.3.0) lib/devise/controllers/helpers.rb:253:in `handle_unverified_request'
actionpack (5.1.4) lib/action_controller/metal/request_forgery_protection.rb:222:in `verify_authenticity_token'
activesupport (5.1.4) lib/active_support/callbacks.rb:413:in `block in make_lambda'
activesupport (5.1.4) lib/active_support/callbacks.rb:197:in `block (2 levels) in halting'
actionpack (5.1.4) lib/abstract_controller/callbacks.rb:12:in `block (2 levels) in <module:Callbacks>'
activesupport (5.1.4) lib/active_support/callbacks.rb:198:in `block in halting'
activesupport (5.1.4) lib/active_support/callbacks.rb:507:in `block in invoke_before'
activesupport (5.1.4) lib/active_support/callbacks.rb:507:in `each'
activesupport (5.1.4) lib/active_support/callbacks.rb:507:in `invoke_before'
activesupport (5.1.4) lib/active_support/callbacks.rb:130:in `run_callbacks'
actionpack (5.1.4) lib/abstract_controller/callbacks.rb:19:in `process_action'
actionpack (5.1.4) lib/action_controller/metal/rescue.rb:20:in `process_action'
actionpack (5.1.4) lib/action_controller/metal/instrumentation.rb:32:in `block in process_action'
activesupport (5.1.4) lib/active_support/notifications.rb:166:in `block in instrument'
activesupport (5.1.4) lib/active_support/notifications/instrumenter.rb:21:in `instrument'
activesupport (5.1.4) lib/active_support/notifications.rb:166:in `instrument'
actionpack (5.1.4) lib/action_controller/metal/instrumentation.rb:30:in `process_action'
actionpack (5.1.4) lib/action_controller/metal/params_wrapper.rb:252:in `process_action'
activerecord (5.1.4) lib/active_record/railties/controller_runtime.rb:22:in `process_action'
actionpack (5.1.4) lib/abstract_controller/base.rb:124:in `process'
actionview (5.1.4) lib/action_view/rendering.rb:30:in `process'
actionpack (5.1.4) lib/action_controller/metal.rb:189:in `dispatch'
actionpack (5.1.4) lib/action_controller/metal.rb:253:in `dispatch'
actionpack (5.1.4) lib/action_dispatch/routing/route_set.rb:49:in `dispatch'
actionpack (5.1.4) lib/action_dispatch/routing/route_set.rb:31:in `serve'
actionpack (5.1.4) lib/action_dispatch/journey/router.rb:50:in `block in serve'
actionpack (5.1.4) lib/action_dispatch/journey/router.rb:33:in `each'
actionpack (5.1.4) lib/action_dispatch/journey/router.rb:33:in `serve'
actionpack (5.1.4) lib/action_dispatch/routing/route_set.rb:834:in `call'
omniauth (1.8.1) lib/omniauth/strategy.rb:190:in `call!'
omniauth (1.8.1) lib/omniauth/strategy.rb:168:in `call'
warden (1.2.7) lib/warden/manager.rb:36:in `block in call'
warden (1.2.7) lib/warden/manager.rb:35:in `catch'
warden (1.2.7) lib/warden/manager.rb:35:in `call'
rack (2.0.3) lib/rack/etag.rb:25:in `call'
rack (2.0.3) lib/rack/conditional_get.rb:38:in `call'
rack (2.0.3) lib/rack/head.rb:12:in `call'
rack (2.0.3) lib/rack/session/abstract/id.rb:232:in `context'
rack (2.0.3) lib/rack/session/abstract/id.rb:226:in `call'
actionpack (5.1.4) lib/action_dispatch/middleware/cookies.rb:613:in `call'
active-fedora (11.5.0) lib/active_fedora/ldp_cache.rb:26:in `call'
flipflop (2.3.1) lib/flipflop/feature_cache.rb:12:in `call'
activerecord (5.1.4) lib/active_record/migration.rb:556:in `call'
actionpack (5.1.4) lib/action_dispatch/middleware/callbacks.rb:26:in `block in call'
activesupport (5.1.4) lib/active_support/callbacks.rb:97:in `run_callbacks'
actionpack (5.1.4) lib/action_dispatch/middleware/callbacks.rb:24:in `call'
actionpack (5.1.4) lib/action_dispatch/middleware/executor.rb:12:in `call'
actionpack (5.1.4) lib/action_dispatch/middleware/debug_exceptions.rb:59:in `call'
web-console (3.5.1) lib/web_console/middleware.rb:135:in `call_app'
web-console (3.5.1) lib/web_console/middleware.rb:20:in `block in call'
web-console (3.5.1) lib/web_console/middleware.rb:18:in `catch'
web-console (3.5.1) lib/web_console/middleware.rb:18:in `call'
actionpack (5.1.4) lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
railties (5.1.4) lib/rails/rack/logger.rb:36:in `call_app'
railties (5.1.4) lib/rails/rack/logger.rb:24:in `block in call'
activesupport (5.1.4) lib/active_support/tagged_logging.rb:69:in `block in tagged'
activesupport (5.1.4) lib/active_support/tagged_logging.rb:26:in `tagged'
activesupport (5.1.4) lib/active_support/tagged_logging.rb:69:in `tagged'
railties (5.1.4) lib/rails/rack/logger.rb:24:in `call'
sprockets-rails (3.2.1) lib/sprockets/rails/quiet_assets.rb:13:in `call'
actionpack (5.1.4) lib/action_dispatch/middleware/remote_ip.rb:79:in `call'
actionpack (5.1.4) lib/action_dispatch/middleware/request_id.rb:25:in `call'
rack (2.0.3) lib/rack/method_override.rb:22:in `call'
rack (2.0.3) lib/rack/runtime.rb:22:in `call'
activesupport (5.1.4) lib/active_support/cache/strategy/local_cache_middleware.rb:27:in `call'
actionpack (5.1.4) lib/action_dispatch/middleware/executor.rb:12:in `call'
actionpack (5.1.4) lib/action_dispatch/middleware/static.rb:125:in `call'
rack (2.0.3) lib/rack/sendfile.rb:111:in `call'
railties (5.1.4) lib/rails/engine.rb:522:in `call'
rack (2.0.3) lib/rack/handler/webrick.rb:86:in `service'
/home/data2paper/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/webrick/httpserver.rb:140:in `service'
/home/data2paper/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/webrick/httpserver.rb:96:in `run'
/home/data2paper/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/webrick/server.rb:290:in `block in start_thread'
anusharanganathan commented 6 years ago

Looks like this is a known error in Devise https://github.com/plataformatec/devise/issues/2432 with rails 4 though I am using rails 5.

Removing protect_from_forgery with: :exception from applications controller fixes this issue. Is that the right thing to do?

martyn-w commented 6 years ago

Hmmm.. I don't see this error in the dockerised version which makes me think it is possibly a hosting/serving issue?

I wouldn't recommend removing the protect_from_forgery option without good reason, as it helps prevent 3rd party hacks.

Maybe we could do a side-by-side comparison of update request to pinpoint where the issue is?

anusharanganathan commented 6 years ago

Switch off JWT and test if error is see. An alternate simpler implementation would be https://github.com/anusharanganathan/data2paper/issues/68

danielricecodes commented 6 years ago

TO ANYONE ARRIVING HERE, DO NOT REMOVE protect_from_forgery - this is an essential Rails security mechanism that prevents Cross Side Scripting Attacks. Sometimes this error happens. You can't completely eliminate it, in fact you shouldn't! Please see this Stack Overflow thread for some strategies on how to more gracefully handle the exception.

Before you do anything that could impact your applications security, please learn more about protect_from_forgery and why its important. Don't simply remove it because you're getting an error every now and then.