FIX: Correctly handle invalid auth cookies (#16995)

Previously it would blow up on invalid utf byte sequences. This was a source of spec flakiness.
2025-02-25 18:55:32 -06:00 · 2022-06-07 13:00:25 +02:00
parent 98671445a7
commit 1a5dbbf430
2 changed files with 7 additions and 4 deletions
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@@ -77,8 +77,9 @@ class Auth::DefaultCurrentUserProvider
  ]

  def self.find_v0_auth_cookie(request)
-    cookie = request.cookies[TOKEN_COOKIE].presence
-    if cookie && cookie.size == TOKEN_SIZE
+    cookie = request.cookies[TOKEN_COOKIE]
+
+    if cookie&.valid_encoding? && cookie.present? && cookie.size == TOKEN_SIZE
      cookie
    end
  end
@@ -88,8 +89,10 @@ class Auth::DefaultCurrentUserProvider

    env[DECRYPTED_AUTH_COOKIE] = begin
      request = ActionDispatch::Request.new(env)
+      cookie = request.cookies[TOKEN_COOKIE]
+
      # don't even initialize a cookie jar if we don't have a cookie at all
-      if request.cookies[TOKEN_COOKIE].present?
+      if cookie&.valid_encoding? && cookie.present?
        request.cookie_jar.encrypted[TOKEN_COOKIE]&.with_indifferent_access
      end
    end