Guard against a login attempt with invalid CSRF token
If a user logs in with a bad CSRF token, the Warden before_logout hook will be called with no valid user. This would lead to odd Error 500 messages with a backtrace. Addresses part of #50857
This commit is contained in:
parent
4586d77c85
commit
027c3264ad
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Guard against a login attempt with invalid CSRF token
|
||||||
|
merge_request: 21934
|
||||||
|
author:
|
||||||
|
type: fixed
|
|
@ -31,6 +31,11 @@ Rails.application.configure do |config|
|
||||||
|
|
||||||
Warden::Manager.before_logout(scope: :user) do |user, auth, opts|
|
Warden::Manager.before_logout(scope: :user) do |user, auth, opts|
|
||||||
user ||= auth.user
|
user ||= auth.user
|
||||||
|
|
||||||
|
# Rails CSRF protection may attempt to log out a user before that
|
||||||
|
# user even logs in
|
||||||
|
next unless user
|
||||||
|
|
||||||
activity = Gitlab::Auth::Activity.new(opts)
|
activity = Gitlab::Auth::Activity.new(opts)
|
||||||
tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)
|
tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue