From 26ce930ac6b416e6901ca2333cdc0b83c749f5f6 Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 20 Apr 2018 11:21:51 +1000 Subject: [PATCH] FIX: remove auth cookie if we see InvalidAccess --- config/initializers/004-message_bus.rb | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/config/initializers/004-message_bus.rb b/config/initializers/004-message_bus.rb index 58ba09b6b88..137dff182c5 100644 --- a/config/initializers/004-message_bus.rb +++ b/config/initializers/004-message_bus.rb @@ -10,9 +10,25 @@ end def setup_message_bus_env(env) return if env["__mb"] + extra_headers = { + "Access-Control-Allow-Origin" => Discourse.base_url_no_prefix, + "Access-Control-Allow-Methods" => "GET, POST", + "Access-Control-Allow-Headers" => "X-SILENCE-LOGGER, X-Shared-Session-Key, Dont-Chunk, Discourse-Visible" + } + host = RailsMultisite::ConnectionManagement.host(env) RailsMultisite::ConnectionManagement.with_hostname(host) do - user = CurrentUser.lookup_from_env(env) + user = nil + begin + user = CurrentUser.lookup_from_env(env) + rescue Discourse::InvalidAccess => e + # this is bad we need to remove the cookie + if e.opts[:delete_cookie].present? + extra_headers['Set-Cookie'] = '_t=del; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT' + end + rescue => e + Discourse.warn_exception(e, message: "Unexpected error in Message Bus") + end user_id = user && user.id is_admin = !!(user && user.admin?) group_ids = if is_admin @@ -22,12 +38,6 @@ def setup_message_bus_env(env) user.groups.pluck('groups.id') end - extra_headers = { - "Access-Control-Allow-Origin" => Discourse.base_url_no_prefix, - "Access-Control-Allow-Methods" => "GET, POST", - "Access-Control-Allow-Headers" => "X-SILENCE-LOGGER, X-Shared-Session-Key, Dont-Chunk, Discourse-Visible" - } - if env[Auth::DefaultCurrentUserProvider::BAD_TOKEN] extra_headers['Discourse-Logged-Out'] = '1' end