[10-10CG] Ensure we have a valid csrf token when making POST requests in 10-10CG #34395
+161
−119
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
coope93
changed the title
coope93
commented
Jan 30, 2025
| }); | ||
| }; | ||
|
|
||
| export const ensureValidCSRFToken = async () => { |
There was a problem hiding this comment.
Same logic we had in the fetchFacilities, just moved it here so it can be reused. Maybe there is a better place than actions? It's really a helper, but I'm also hoping it does not stay here super long as we will want to eventually get it somewhere more global.
coope93
commented
Jan 30, 2025
| @@ -155,69 +141,6 @@ describe('CG fetchFacilities action', () => { | |||
| expect(apiRequestStub.callCount).to.equal(1); | |||
| }); | |||
| }); | |||
|
|
|||
| context('no csrfToken in localStorage', () => { | |||
There was a problem hiding this comment.
This is all tested in the unit spec for the new ensureValidCSRFToken
va-vfs-bot
reviewed
Jan 30, 2025
There was a problem hiding this comment.
Sentry call found
Sentry captures a lot of data, and we want to make sure that we only keep information that will be useful for troubleshooting issues. This means that PII should not be recorded.
What you can do
Review your call to Sentry and see if you can reasonably reduce any information that is included, or wait for a VSP review.
| event: 'caregivers-10-10cg-fetch-csrf-token-empty', | ||
| }); | ||
|
|
||
| Sentry.withScope(scope => { |
| }); | ||
|
|
||
| Sentry.withScope(scope => { | ||
| scope.setLevel(Sentry.Severity.Log); |
|
|
||
| Sentry.withScope(scope => { | ||
| scope.setLevel(Sentry.Severity.Log); | ||
| Sentry.captureMessage(`${message} Calling ${url} to generate new one.`); |
|
|
||
| return apiRequest(`${environment.API_URL}${url}`, { method: 'HEAD' }) | ||
| .then(() => { | ||
| Sentry.withScope(scope => { |
| return apiRequest(`${environment.API_URL}${url}`, { method: 'HEAD' }) | ||
| .then(() => { | ||
| Sentry.withScope(scope => { | ||
| scope.setLevel(Sentry.Severity.Log); |
| .then(() => { | ||
| Sentry.withScope(scope => { | ||
| scope.setLevel(Sentry.Severity.Log); | ||
| Sentry.captureMessage( |
| }); | ||
| }) | ||
| .catch(error => { | ||
| Sentry.withScope(scope => { |
| }) | ||
| .catch(error => { | ||
| Sentry.withScope(scope => { | ||
| scope.setLevel(Sentry.Severity.Log); |
| Sentry.withScope(scope => { | ||
| scope.setLevel(Sentry.Severity.Log); | ||
| scope.setExtra('error', error); | ||
| Sentry.captureMessage( |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note: Delete the description statements, complete each step. None are optional, but can be justified as to why they cannot be completed as written. Provide known gaps to testing that may raise the risk of merging to production.
Are you removing, renaming or moving a folder in this PR?
If the folder you changed contains a
manifest.json, search for itsentryNamein the content-build registry.json (theentryNamethere will match).If an entry for this folder exists in content-build and you are:
Deleting a folder:
vets-websitefor all instances of theentryNamein yourmanifest.jsonand remove them in a separate PR. Look particularly for references insrc/applications/static-pages/static-pages-entry.jsandsrc/platform/forms/constants.js. If you do not do this, other applications will break!Renaming or moving a folder: Update the entry in the registry.json, but do not merge it until your vets-website changes here are merged. The content-build PR must be merged immediately after your vets-website change is merged in to avoid CI errors with content-build (and Tugboat).
Examples of a TeamSite: https://va.gov/health and https://benefits.va.gov/benefits/. This scenario is also referred to as the "injected" header and footer. You can reach out in the
#sitewide-public-websitesSlack channel for questions.Did you change site-wide styles, platform utilities or other infrastructure?
Summary
HEADrequest to generate a new csrf token when it is absent from localStorage in thefetchFacilitiesfunction.ensureValidCSRFTokenfunction that checks if the csrf token is in local storage, and if it is not it makes theHEADrequest to generate a new one.fetchFacilitiesfunction and in theApplicationDownloadLinkcomponent that makes aPOSTcall to generate a pdf for download.apiRequestfunction.ApplicationDownloadLinksince we have consistently been seeing 403 invalid csrf errors for years on this call, and I think getting it in to validate it here sooner is better than waiting to ensure we have the right approach to introduce it sitewide via theapiRequestfunction.Related issue(s)
Testing done
Screenshots
No UI changes
What areas of the site does it impact?
10-10CG
Acceptance criteria
Quality Assurance & Testing
Error Handling
Authentication