This repository has been archived on 2023-03-18. You can view files and clone it. You cannot open issues or pull requests or push a commit.

David Taylor 7a52ce0d6d FIX: Strip discourse-logged-in header during force_anonymous! (#14533) ...

When the anonymous cache forces users into anonymous mode, it strips the cookies from their request. However, the discourse-logged-in header from the JS client remained.

When the discourse-logged-in header is present without any valid auth_token, the current_user_provider [marks the request as ['logged out'](https://github.com/discourse/discourse/blob/dbbfad7ed07c47674f9dee4ac7021ca51cc04e2e/lib/auth/default_current_user_provider.rb#L125-L125), and a [discourse-logged-out header is returned to the client](https://github.com/discourse/discourse/blob/dbbfad7ed07c47674f9dee4ac7021ca51cc04e2e/lib/middleware/request_tracker.rb#L209-L211). This causes the JS app to [popup a "you were logged out" modal](https://github.com/discourse/discourse/blob/dbbfad7ed07c47674f9dee4ac7021ca51cc04e2e/app/assets/javascripts/discourse/app/components/d-document.js#L29-L29), which is very disruptive.

This commit strips the discourse-logged-in header from the request at the same time as the auth cookie.

2021-10-07 12:31:42 +01:00

..

anonymous_cache_spec.rb

FIX: Strip discourse-logged-in header during force_anonymous! (#14533)

2021-10-07 12:31:42 +01:00

discourse_public_exceptions_spec.rb

FIX: do not log if an invalid mime type is passed to app

2019-11-21 15:51:34 +11:00

enforce_hostname_spec.rb

FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180)

2020-03-19 19:54:42 +00:00

request_tracker_spec.rb

FEATURE: Rate limit exceptions via ENV (#14033)

2021-08-13 12:00:23 -03:00