[10-10CG] Reset csrfToken on 403 response for fetchFacilities #34431
Conversation
…est returns a 403 Invalid Authenticity Token response
| @@ -125,10 +125,27 @@ export const fetchFacilities = async ({ | |||
| }) | |||
| .catch(error => { | |||
| Sentry.withScope(scope => { | |||
| scope.setExtra('error', error); | |||
| scope.setExtra('error', error.errors); | |||
There was a problem hiding this comment.
This errors object was just showing
{
errors: [
[Object]
]
}
Which is not helpful. This will instead show the error array which has more detail.
|
|
||
| if ( | ||
| errorResponse?.status === '403' && | ||
| errorResponse?.detail === 'Invalid Authenticity Token' |
There was a problem hiding this comment.
I only want to trigger this for 403s AND when it is an Invalid Authenticity Token, since there are other valid 403 responses we don't want to trigger this logic.
| scope.setExtra('status', errorResponse?.status); | ||
| scope.setExtra('detail', errorResponse?.detail); | ||
| Sentry.captureMessage( | ||
| 'Error in fetchFacilities. Clearing csrfToken in localStorage.', |
There was a problem hiding this comment.
Added new Sentry log so we know when these occur and give us more detail into what's going on.
There was a problem hiding this comment.
Sentry call found
Sentry captures a lot of data, and we want to make sure that we only keep information that will be useful for troubleshooting issues. This means that PII should not be recorded.
What you can do
Review your call to Sentry and see if you can reasonably reduce any information that is included, or wait for a VSP review.
Are you removing, renaming or moving a folder in this PR?
If the folder you changed contains a
manifest.json, search for itsentryNamein the content-build registry.json (theentryNamethere will match).If an entry for this folder exists in content-build and you are:
Deleting a folder:
vets-websitefor all instances of theentryNamein yourmanifest.jsonand remove them in a separate PR. Look particularly for references insrc/applications/static-pages/static-pages-entry.jsandsrc/platform/forms/constants.js. If you do not do this, other applications will break!Renaming or moving a folder: Update the entry in the registry.json, but do not merge it until your vets-website changes here are merged. The content-build PR must be merged immediately after your vets-website change is merged in to avoid CI errors with content-build (and Tugboat).
Examples of a TeamSite: https://va.gov/health and https://benefits.va.gov/benefits/. This scenario is also referred to as the "injected" header and footer. You can reach out in the
#sitewide-public-websitesSlack channel for questions.Did you change site-wide styles, platform utilities or other infrastructure?
Summary
Invalid Authenticity Tokenin our new facilities search page. The last two appear to have tried to pass invalid csrf tokens from the client.403 - Invalid Authenticity Tokenerror we set thecsrfTokenin localStorage to an empty string. If the request is retried, it will trigger the logic that checks if there is a token, and if not it makes aHEADrequest to ensure it has a valid token, which then calls thefetchFacilitieswith a valid token.caregiver_use_facilities_APItoggleRelated issue(s)
Testing done
Screenshots
No UI changes
What areas of the site does it impact?
10-10CG
Acceptance criteria
Quality Assurance & Testing
Error Handling
Authentication