protect_from_forgery error not manifesting in test environment

[Rob Jonson]

I recently added a before_action before protect_from_forgery

before_action :set_locale

protect_from_forgery with: :exception

This causes an exception when a user tries to log in with devise.

the fix is simple (protect from forgery before doing other actions)

before_action :set_locale

protect_from_forgery with: :exception, prepend: true

however - what concerns me is that the bug triggered an exception in production which was not caught in test.

steps to trigger the bug are

1) create an account

2) log out

3) sign in

I test this explicitly in an rspec capybara test using chrome with javascript enabled.

In the test, I don't get the exception.

can anyone explain why?

thanks,

Rob

[nanaya]

Hi,

On Mon, Jan 29, 2018, at 23:51, Rob Jonson wrote:
>
> however - what concerns me is that the bug triggered an exception in
> production which was not caught in test.
>
> steps to trigger the bug are
>
> 1) create an account
> 2) log out
> 3) sign in
>
> I test this explicitly in an rspec capybara test using chrome with
> javascript enabled.
> In the test, I don't get the exception.
>
> can anyone explain why?
>

There's this setting (in "config/environments/test.rb" for test env):

config.action_controller.allow_forgery_protection = false (default for test env)

[Rob Jonson]

thank you