Rails should return 403 by default for ActiveSupport::MessageVerifier::InvalidSignature

Just like ActiveRecord::RecordNotFound which returns a 404 error page when raised, ActiveSupport::MessageVerifier::InvalidSignature should display a 403 error page to the user, and not a 500 internal server error.

Just like find, also find_signed! is widely used in controllers. The problem is that when the signature is invalid or expired the exception raised causes a 500 error instead of a meaningful message.

My current workaround is this:

class ApplicationController < ActionController::Base
  rescue_from ActiveSupport::MessageVerifier::InvalidSignature do |e|
    head :forbidden # or render something...


However I think that ActiveSupport::MessageVerifier::InvalidSignature should be handled directly by Rails in a way similar to ActiveRecord::RecordNotFound. In this way we could just customize a public/403.html and nothing else (which seems the correct Rails-way).

Just FYI. You can register your own exceptions just like Rails does for things like ActiveRecord::RecordNotFound. Just put this in your application.rb:

config.action_dispatch.rescue_responses.merge! \
  'ActiveSupport::MessageVerifier::InvalidSignature' => :forbidden

Then you don’t need your own rescue_from block in ApplicationController.

As to if Rails would do this by default I’m not sure if that would be good or not. ActiveSupport::MessageVerifier::InvalidSignature is not only raised by find_signed!. If using message verifiers directly you might get this exception and a 403 Forbidden might not be the HTTP response you want in those cases. I could see 422 Unprocessable Content being perhaps more appropriate as a default response for that exception.