Investigate Rollbar Error 27 - InvalidAuthenticityToken
dottorer opened this issue · comments
the AuthenticityToken is used to mitigate against CSRF attacks or session riding attacks. technically rails always has a session which is for example used to transport flash messages across requests. this does not mean there is an 'user-session'. it is safe to not check the AuthenticityToken for pages like:
https://app.lale.help/reset_password
https://app.lale.help/login
https://app.lale.help/join/XXX
as they are public pages and any attacker could just use those pages directly (IMO), i.e. just check AuthenticityToken when there is a current_user.
this would remove the bigger portion of the InvalidAuthenticityToken errors.
the remaining incidences:
https://app.lale.help/circles/12/members/215/activate
https://app.lale.help/circles/8/tasks/499/comments
https://app.lale.help/circles/21/tasks/401/decline
are still unclear how this can happen - still investigating.