I recently added a before_action before protect_from_forgery
before_action :set_locale
protect_from_forgery with: :exception
This causes an exception when a user tries to log in with devise.
the fix is simple (protect from forgery before doing other actions)
before_action :set_locale
protect_from_forgery with: :exception, prepend: true
however - what concerns me is that the bug triggered an exception in production which was not caught in test.
steps to trigger the bug are
-
create an account
-
log out
-
sign in
I test this explicitly in an rspec capybara test using chrome with javascript enabled.
In the test, I don’t get the exception.
can anyone explain why?
thanks,
Rob