Merge pull request #4993 from Benjamin-Couey/3845-friendly-message-on-invalid-token

cielf · web-flow · commit 08b217580ecf · 2025-02-15T19:56:51.000-05:00
3845 friendly message on invalid token
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -14,6 +14,11 @@ class ApplicationController < ActionController::Base
 
   rescue_from ActiveRecord::RecordNotFound, with: :not_found!
 
+  rescue_from ActionController::InvalidAuthenticityToken do
+    flash[:error] = "Your session expired. This could be due to leaving a page open for a long time, or having multiple tabs open. Try resubmitting."
+    redirect_back fallback_location: root_path
+  end
+
   def current_organization
     return @current_organization if @current_organization
     return nil unless current_role
diff --git a/spec/system/authorization_system_spec.rb b/spec/system/authorization_system_spec.rb
@@ -16,4 +16,46 @@
 
     expect(current_path).to eql "/dashboard"
   end
+
+  context "Submitting a form with an invalid CSRF token" do
+    before(:all) do
+      ActionController::Base.allow_forgery_protection = true
+    end
+
+    context "When logging in" do
+      it "should redirect back and show a helpful message" do
+        visit "/users/sign_in"
+        fill_in "user_email", with: user.email
+        fill_in "user_password", with: DEFAULT_USER_PASSWORD
+        first('input[name="authenticity_token"]', visible: false).set("NOTAVALIDCSRFTOKEN")
+        page.execute_script("$(\"meta[name='csrf-token']\").attr('content', 'NOTAVALIDCSRFTOKEN');")
+        click_button "Log in"
+        expect(current_path).to eql "/users/sign_in"
+        expect(page).to have_content "Your session expired. This could be due to leaving a page open for a long time, or having multiple tabs open. Try resubmitting."
+      end
+    end
+
+    context "When logged in and creating a distribution" do
+      before do
+        create(:partner, organization: organization, name: "Test Partner")
+        storage_location = create(:storage_location, organization: organization, name: "Test Storage Location")
+        setup_storage_location(storage_location)
+      end
+      it "should redirect back and show a helpful message" do
+        sign_in(user)
+        visit new_distribution_path
+        select "Test Partner", from: "Partner"
+        select "Test Storage Location", from: "From storage location"
+        first('input[name="authenticity_token"]', visible: false).set("NOTAVALIDCSRFTOKEN")
+        page.execute_script("$(\"meta[name='csrf-token']\").attr('content', 'NOTAVALIDCSRFTOKEN');")
+        click_button "Save"
+        expect(current_path).to eql new_distribution_path
+        expect(page).to have_content "Your session expired. This could be due to leaving a page open for a long time, or having multiple tabs open. Try resubmitting."
+      end
+    end
+
+    after(:all) do
+      ActionController::Base.allow_forgery_protection = false
+    end
+  end
 end
