search

thewca / worldcubeassociation.org

All of the code that runs on worldcubeassociation.org
https://www.worldcubeassociation.org/
GNU General Public License v3.0
329 stars 176 forks source link

"The change you wanted was rejected" when signing in #3754

Closed jfly closed 3 years ago

jfly commented 5 years ago

We include a CSRF token on the sign-in form, and sometimes, people's browsers won't send along the CSRF token when they sign in, so the backend raises an ActionController::InvalidAuthenticityToken error, which gets rendered to the user as "The change you wanted was rejected":

img_1075 1

A snippet of this happening in the rails logs:

I, [2016-12-07T17:45:10.930354 #13577]  INFO -- : Started POST "/users/sign_in" for 151.224.77.144 at 2016-12-07 17:45:10 +0000
I, [2016-12-07T17:45:10.931636 #13577]  INFO -- : Processing by Devise::SessionsController#create as HTML
I, [2016-12-07T17:45:10.931694 #13577]  INFO -- :   Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "user"=>{"login"=>"XYZ@example.com", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Sign in"}
W, [2016-12-07T17:45:10.932277 #13577]  WARN -- : Can't verify CSRF token authenticity
I, [2016-12-07T17:45:10.932588 #13577]  INFO -- : Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms)
I, [2016-12-07T17:45:10.932792 #13577]  INFO -- : [User Id] Request was made by user id: <not logged in>
F, [2016-12-07T17:45:10.934127 #13577] FATAL -- :
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
  lib/middlewares/warden_user_logger.rb:12:in `call'
  lib/middlewares/fix_accept_header.rb:13:in `call'

I am able to reproduce this error by running the following javascript before logging in:

document.querySelector("input[name=authenticity_token]").value = "bogus"

After many weeks, this user reset his cookies, and the problem went away.

In an email thread titled: "Competitor unable to login" on Dec 27, 2016.

Akash says: "I asked him. He says he checked in cookies now and there was some entry for wca there which he deleted. He is able to login now. Thanks for your help. I m not fully sure what happened there but I hope you do. Let me know if there is any further communication required to avoid this in the future."

Jeremy says: "Strange. The next time someone runs into this, we will try asking them to clear their cookies."

I think that every time we've seen this issue, it has been on a mobile device, but it has been on both iOS and Android, and Chrome and Safari.

Jambrose777 commented 3 years ago

Closing this as it doesn't seem to have come up much at all in 3 years and hasn't been worked on, but we can reopen if needed.