Closed compwron closed 3 years ago
This is an investigation. I have not taken the issue. I am not a Devise expert.
It would be helpful to have seen the logging before this crash to see if there were clues.
From the User model the timeoutable module has been set but the rememorable has not been set
# app/models/user.rb
class User < ApplicationRecord
... Only timeoutable module ==========\/
devise :database_authenticatable, :invitable, :recoverable, :validatable, :timeoutable
...
end
We can see the same in the Devise initializer where the remember_me configuration is commented out and the timeoutable has been configured:
# config/initializers/devise.rb
No rememberable configuration set
# ==> Configuration for :rememberable
# The time the user will be remembered without asking for credentials again.
# config.remember_for = 2.weeks
# Invalidates all the remember me tokens when the user signs out.
# config.expire_all_remember_me_on_sign_out = true
# If true, extends the user's remember period when remembered via cookie.
# config.extend_remember_period = false
# Options to be passed to the created cookie. For instance, you can set
# secure: true in order to force SSL only cookies.
# config.rememberable_options = {}
...
# ==> Configuration for :timeoutable
# The time you want to timeout the user session without activity. After this
# time the user will be asked for credentials again. Default is 30 minutes.
config.timeout_in = 1.hour <==== Only tiemoutable configured
Interestingly, in the devise_create_users
and class DeviseCreateAllCasaAdmins
migrations the rememberable attribute is left in. Devise does make choices on the presence of attributes but why this is an issue if you don't actually have the rememberable module in? I don't know.
# db/migrate/...devise_create_users.rb
class DeviseCreateUsers < ActiveRecord::Migration[6.0]
def change
create_table :users do |t|
...
## Rememberable
t.datetime :remember_created_at <=== ??? I was not expecting this
...
end
end
end
So, the project should have only had Timeoutable and not Rememberable?
Possible next step is to remove the remember_created_at and see if it breaks anything.
Thank you for this investigation! I think that this next step sounds good. That can be part of this issue. Do you want to make a PR for it? :)
Possible next step is to remove the remember_created_at and see if it breaks anything.
@compwron actually this is occurring due to what we suspect is a script, since it always from the same Russian IP address. I am almost done working on #1358 where we will be able to add the IP address to a blocklist.
Ideally a script wouldn't be able to cause exceptions in our code- I still want to fix this in addition.
@littleforest - aahh, an attack that all makes sense now.
@compwron Sounds great, I'll PR this tomorrow.
Event in production from casa in users/sessions#create (details) Unhandled error ActiveModel::UnknownAttributeError: unknown attribute 'remember_me' for User. Location vendor/bundle/ruby/2.7.0/gems/activemodel-6.0.3.4/lib/active_model/attribute_assignment.rb:52 - _assign_attribute https://app.bugsnag.com/ruby-for-good/casa/errors/5f90f6ddf86dad00180b3d17?event_id=5fb121cc0062e1bc44dd0000&i=sk&m=oc