InvalidAuthenticityToken on macOS Catalina, anybody else?

dorianmariefr · November 28, 2021, 8:33am

On this user agent:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36

I get some ActionController::InvalidAuthenticityToken sometimes, any idea? I tried debugging and the tokens are different

gist.github.com

https://gist.github.com/dorianmariefr/73ea72d4c59f4838f0168e7acc98508f

debug-invalid-csrf-token.rb

{
  inputs:
    [params[:authenticity_token], request.x_csrf_token].map do |token|
      Base64.urlsafe_decode64(token)
    end.map do |token|
      xor_byte_strings(
        token[0...AUTHENTICITY_TOKEN_LENGTH],
        token[AUTHENTICITY_TOKEN_LENGTH..-1]
      )
    end,

This file has been truncated. show original

e_a · November 30, 2021, 2:53pm

InvalidAuthenticityToken means the token embedded in the form doesn’t match your session. While meant to be a security measure (preventing certain XSS attacks) I often see it cropping up by accident when your session changes (expires, reset due to logout, etc). Are you certain that the raising of the token is an error? It may be correct behavior for the events that proceeded it and maybe just needed a prettier color of paint to make it user friendly.