Merge pull request #5113 from rubyforgood/5100-fix-unknown-format

cielf · web-flow · commit 2a95847841b7 · 2025-04-28T11:54:05.000-04:00
#5100: Fix unknown format error on expired session
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -15,7 +15,9 @@ class ApplicationController < ActionController::Base
 
   rescue_from ActiveRecord::RecordNotFound, with: :not_found!
 
-  rescue_from ActionController::InvalidAuthenticityToken do
+  rescue_from ActionController::InvalidAuthenticityToken, with: :session_expired
+
+  def session_expired
     flash[:error] = "Your session expired. This could be due to leaving a page open for a long time, or having multiple tabs open. Try resubmitting."
     redirect_back fallback_location: root_path
   end
diff --git a/app/controllers/concerns/validatable.rb b/app/controllers/concerns/validatable.rb
@@ -0,0 +1,13 @@
+module Validatable
+  extend ActiveSupport::Concern
+
+  included do
+    rescue_from ActionController::InvalidAuthenticityToken do
+      if action_name == "validate"
+        render json: {valid: false}
+      else
+        session_expired
+      end
+    end
+  end
+end
diff --git a/app/controllers/distributions_controller.rb b/app/controllers/distributions_controller.rb
@@ -6,6 +6,7 @@
 class DistributionsController < ApplicationController
   include DateRangeHelper
   include DistributionHelper
+  include Validatable
 
   before_action :enable_turbo!, only: %i[new show]
   skip_before_action :authenticate_user!, only: %i(calendar)
diff --git a/app/controllers/partners/family_requests_controller.rb b/app/controllers/partners/family_requests_controller.rb
@@ -1,5 +1,6 @@
 module Partners
   class FamilyRequestsController < BaseController
+    include Validatable
     before_action :verify_partner_is_active
     before_action :authorize_verified_partners
 
diff --git a/app/controllers/partners/individuals_requests_controller.rb b/app/controllers/partners/individuals_requests_controller.rb
@@ -1,5 +1,6 @@
 module Partners
   class IndividualsRequestsController < BaseController
+    include Validatable
     before_action :verify_partner_is_active
     before_action :authorize_verified_partners
 
diff --git a/app/controllers/partners/requests_controller.rb b/app/controllers/partners/requests_controller.rb
@@ -1,5 +1,6 @@
 module Partners
   class RequestsController < BaseController
+    include Validatable
     skip_before_action :require_partner, only: [:new, :create, :validate]
     before_action :require_partner_or_org_admin, only: [:new, :create, :validate]
     layout :layout
diff --git a/spec/requests/distributions_requests_spec.rb b/spec/requests/distributions_requests_spec.rb
@@ -816,6 +816,17 @@
 
       include_examples "restricts access to organization users/admins"
     end
+
+    describe 'POST #validate' do
+      it 'should handle missing CSRF gracefully' do
+        ActionController::Base.allow_forgery_protection = true
+        post validate_partners_individuals_requests_path
+        ActionController::Base.allow_forgery_protection = false
+
+        expect(JSON.parse(response.body)).to eq({'valid' => false})
+        expect(response.status).to eq(200)
+      end
+    end
   end
 
   context "While not signed in" do
diff --git a/spec/requests/partners/family_requests_requests_spec.rb b/spec/requests/partners/family_requests_requests_spec.rb
@@ -11,7 +11,7 @@
 
   before { sign_in(partner_user) }
 
-  describe 'GET #new' do
+  describe "GET #new" do
     subject { get new_partners_family_request_path }
 
     it "does not allow deactivated partners" do
@@ -27,7 +27,7 @@
     end
   end
 
-  describe 'POST #create' do
+  describe "POST #create" do
     before do
       # Set one child as deactivated and the other as active but
       # without a item_needed_diaperid
@@ -66,4 +66,15 @@
       expect(Partners::ChildItemRequest.find_by(child_id: children[2].id)).to be_present
     end
   end
+
+  describe "POST #validate" do
+    it "should handle missing CSRF gracefully" do
+      ActionController::Base.allow_forgery_protection = true
+      post validate_partners_family_requests_path
+      ActionController::Base.allow_forgery_protection = false
+
+      expect(JSON.parse(response.body)).to eq({"valid" => false})
+      expect(response.status).to eq(200)
+    end
+  end
 end
diff --git a/spec/requests/partners/individuals_requests_requests_spec.rb b/spec/requests/partners/individuals_requests_requests_spec.rb
@@ -156,4 +156,15 @@
       end
     end
   end
+
+  describe "POST #validate" do
+    it "should handle missing CSRF gracefully" do
+      ActionController::Base.allow_forgery_protection = true
+      post validate_partners_individuals_requests_path
+      ActionController::Base.allow_forgery_protection = false
+
+      expect(JSON.parse(response.body)).to eq({"valid" => false})
+      expect(response.status).to eq(200)
+    end
+  end
 end
diff --git a/spec/requests/partners/requests_spec.rb b/spec/requests/partners/requests_spec.rb
@@ -430,4 +430,17 @@
       end
     end
   end
+
+  describe 'POST #validate' do
+    it 'should handle missing CSRF gracefully' do
+      sign_in(partner_user)
+
+      ActionController::Base.allow_forgery_protection = true
+      post validate_partners_requests_path
+      ActionController::Base.allow_forgery_protection = false
+
+      expect(JSON.parse(response.body)).to eq({'valid' => false})
+      expect(response.status).to eq(200)
+    end
+  end
 end
