Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[P4-2419] Ensure form wizards are unique for each Person Escort Record #946

Merged
merged 2 commits into from
Oct 30, 2020
Merged

[P4-2419] Ensure form wizards are unique for each Person Escort Record #946

merged 2 commits into from
Oct 30, 2020

Conversation

teneightfive
Copy link
Contributor

@teneightfive teneightfive commented Oct 30, 2020
edited
Loading

Proposed changes

What changed

This change uses the ID of the Person Escort Record to create the form wizard and journey keys so that they are unique for each record.

This also introduces a link to the error page to make it easier to refresh a form that has been tampered with.

Why did it change

We have seen lots of CSRF errors reported in Sentry. This occurs when a new CSRF token is generating for that form wizard and its journey.

Currently the key is not unique per Person Escort Record form wizard which means that if a user opens an existing record in another tab, for example to compare the previous information or re-use some information, and then try and submit the form step, it will have regenerated the CSRF token and the initial form step will now error.

Issue tracking

Screenshots

Before After
image image
csrf-before csrf-after

Checklists

Testing

Automated testing

  • Added unit tests to cover changes
  • Added end-to-end tests to cover any journey changes

Manual testing

Has been tested in the following browsers:

  • Chrome
  • Firefox
  • Edge
  • Internet Explorer

Environment variables

  • No environment variables were added or changed

Other considerations

Commit messages with a fix or feat type are automatically used to generate the changelog and
GitHub release notes during the release task. Please make sure they will read well on their own in a
summary of changes and that the commit body gives a more detailed description of those changes if necessary.

@teneightfive teneightfive self-assigned this Oct 30, 2020
@teneightfive teneightfive temporarily deployed to booksecuremove-pr-946 October 30, 2020 13:37 Inactive
@teneightfive
fix(per): Ensure form-wizard journey is unique for each PER
0dca482 
Currently we use a generic session key for the form wizard and its
journeys. This means that the session is shared for all Person Escort
Records. This leads to an occurrance of CSRF resets and clashes when
opening an old record to compare against a new record.

To prevent this, each form-wizard and journey is given a unique name
using the ID of the record.
@teneightfive
fix: Add link to hard reload a form that has been tampered with
4dbcca7 
The content displayed on the error page when a form has been tampered
with currently instructs the user to reload the page. However, with
a number of modern browsers this will use the original request method,
in this case a `POST`, which will cause the error to continue to appear.

This change adds a link to the instruction that will force the browser
to reload this page with a `GET` which will regenerate the CSRF token
and prevent the error from re-appearing.
@teneightfive teneightfive temporarily deployed to booksecuremove-pr-946 October 30, 2020 13:44 Inactive
@codeclimate
Copy link

codeclimate bot commented Oct 30, 2020

Code Climate has analyzed commit 4dbcca7 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (90% is the threshold).

This pull request will bring the total coverage in the repository to 97.8% (0.0% change).

View more on Code Climate.

jason-sims
jason-sims approved these changes Oct 30, 2020
View reviewed changes
Copy link

@jason-sims jason-sims left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed, great work!

merlinc
merlinc approved these changes Oct 30, 2020
View reviewed changes
Copy link
Contributor

@merlinc merlinc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved, with the caveats raised in our chat - namely this is tweaking how these form/journey names are being used so we might have issues down the line, and that we get a browser test to validate that this fixes the multiple tabs issue so that we're protected from regressions in the future

@teneightfive
Copy link
Contributor Author

Approved, with the caveats raised in our chat - namely this is tweaking how these form/journey names are being used so we might have issues down the line, and that we get a browser test to validate that this fixes the multiple tabs issue so that we're protected from regressions in the future

Have added #950 to track this follow up test

@teneightfive teneightfive merged commit 9bb5ee8 into master Oct 30, 2020
@teneightfive teneightfive deleted the fix/csrf branch October 30, 2020 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jason-sims jason-sims jason-sims approved these changes

@merlinc merlinc merlinc approved these changes

@solidgoldpig solidgoldpig solidgoldpig approved these changes

Assignees

@teneightfive teneightfive

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@teneightfive @solidgoldpig @merlinc @jason-sims