Rack-protection tends to write misleading warnings to application log if a custom reaction is specified.
If I set :reaction => :report it still writes attack prevented by Rack::Protection::RemoteToken though it is not prevented, it is passed to the application with options[:report_key] flag.
The more, if I set :reaction => :special, rack-protection calls my special helper but still says that the attack was prevented.
I suggest to warn "prevented" when reaction reaches #deny, warn "reported" if reaction was to #report and do nothing if a custom method is used as reaction.
Rack-protection tends to write misleading warnings to application log if a custom reaction is specified.
If I set
:reaction => :report
it still writesattack prevented by Rack::Protection::RemoteToken
though it is not prevented, it is passed to the application withoptions[:report_key]
flag.The more, if I set
:reaction => :special
, rack-protection calls my special helper but still says that the attack was prevented.I suggest to warn "prevented" when reaction reaches
#deny
, warn "reported" if reaction was to#report
and do nothing if a custom method is used as reaction.