Proposal for improving InvalidAuthenticityToken error when invalid same origin


When your server do not properly manage request.origin VS request.base_url you end up with a very helping log introduced here Improve logging when Origin header doesn’t match · rails/rails@a500b47 · GitHub

“HTTP Origin header (#{request.origin}) didn’t match request.base_url (#{request.base_url})”

There is a lot of discussion about InvalidAuthenticityToken on Github and Stackoverflow and I think the error should be more helpful.

One problem is, the exception is always InvalidAuthenticityToken and do not provide any further informations. So people think there is a wrong handling of authenticity_token when it is a same origin issue.

I would like to make 2 proposals:

  • Set the log message as InvalidAuthenticityToken exception message:
    • ActionController::InvalidAuthenticityToken: {:message=>"HTTP Origin header ( didn't match request.base_url ("}
  • Use a custom class for wrong Origin to reflect that the error is not related to an AuthenticityToken . ActionController::InvalidSameOrigin: {:message=>"HTTP Origin header ( didn't match request.base_url ("}

The second point means that the two validations will remain activated by default but will have there own error class: ActionController::InvalidAuthenticityToken and a new ActionController::InvalidSameOrigin



Smallest change first. Help identifying why we have an InvalidAuthenticityToken exception by benoittgt · Pull Request #41822 · rails/rails · GitHub

in initializers/omniauth.rb

token_verifier = OmniAuth.config.before_request_phase # omniauth-rails_csrf_protection
OmniAuth.config.before_request_phase = proc do |env|
  rescue ActionController::InvalidAuthenticityToken => e

Yes. It will probably need to be a new error on a sub class to be properly rescuable by existing code.

At the moment I am waiting for an approval on the first PR.