Merge pull request #1436 from basecamp/fix-cookie-clash-with-old-path-scoped-session-token
Delete scoped session tokens when encountered
This commit is contained in:
@@ -4,6 +4,7 @@ module Authentication
|
||||
included do
|
||||
# Checking for tenant must happen first so we redirect before trying to access the db.
|
||||
before_action :require_tenant
|
||||
prepend_before_action :clear_old_scoped_session_cookies
|
||||
|
||||
before_action :require_authentication
|
||||
helper_method :authenticated?
|
||||
@@ -51,6 +52,12 @@ module Authentication
|
||||
end
|
||||
end
|
||||
|
||||
def clear_old_scoped_session_cookies
|
||||
if request.script_name.present? && cookies.signed[:session_token].present? && !find_session_by_cookie
|
||||
cookies.signed[:session_token] = { value: "invalid-session-token", path: request.script_name, expires: 1.hour.ago }
|
||||
end
|
||||
end
|
||||
|
||||
def find_session_by_cookie
|
||||
Session.find_signed(cookies.signed[:session_token])
|
||||
end
|
||||
|
||||
@@ -17,7 +17,7 @@ class Membership < UntenantedRecord
|
||||
|
||||
def account_name
|
||||
ApplicationRecord.with_tenant(tenant) { Account.sole.name }
|
||||
rescue ActiveRecord::Tenanted::TenantDoesNotExistError
|
||||
rescue ActiveRecord::Tenanted::TenantDoesNotExistError, ActiveRecord::RecordNotFound
|
||||
nil
|
||||
end
|
||||
|
||||
|
||||
Reference in New Issue
Block a user