Skip to content

Skip check_session_expiry in SessionsController#70

Closed
JuanVqz wants to merge 1 commit intofix-brakemanfrom
fix-sessions-skip-expiry
Closed

Skip check_session_expiry in SessionsController#70
JuanVqz wants to merge 1 commit intofix-brakemanfrom
fix-sessions-skip-expiry

Conversation

@JuanVqz
Copy link
Member

@JuanVqz JuanVqz commented Mar 6, 2026

Problem

SessionsController skipped check_user_token but not check_session_expiry, leaving a gap in the auth filter setup. Both callbacks are defined in ApplicationController and both need to be skipped on the OAuth endpoint:

class SessionsController < ApplicationController
  skip_before_action :check_user_token
  # check_session_expiry was NOT skipped

As a result, a user whose session had expired would hit check_session_expiry before reaching SessionsController#create. The callback resets the session and renders puzzles/login, so the OAuth flow never completes — the user can't log back in.

This is a particularly bad failure mode: it's triggered exactly when the user needs to re-authenticate, making it impossible to recover a session through normal login.

Fix

Add the missing skip_before_action alongside the existing one:

class SessionsController < ApplicationController
  skip_before_action :check_user_token
  skip_before_action :check_session_expiry

Test

The test signs in (establishing a session with expires_at), then uses travel_to to jump 2 hours into the future so the session is expired. A second sign-in attempt then asserts a redirect to root_path, confirming the OAuth callback completes instead of being blocked.

travel_to 2.hours.from_now do
  sign_in
  assert_redirected_to root_path
end

@JuanVqz
Skip check_session_expiry in SessionsController
b7d954e 
SessionsController skipped check_user_token but not check_session_expiry,
so users with an expired session were shown the login page instead of
completing the OAuth callback flow.
JuanVqz added a commit that referenced this pull request Mar 6, 2026
@JuanVqz
Consolidate auth callbacks and fix Slack controller issues
62e7781 
Replaces #66, #67, #68, #70 with a single cohesive fix:

- Merge check_session_expiry + check_user_token into one authenticate!
  callback, eliminating the double-render risk by design
- SessionsController and Slack::ApplicationController now each skip a
  single authenticate! instead of managing multiple callbacks
- Rename valid_slack_request? to verify_slack_request! and make it halt
  with head :unauthorized when signature verification fails
- Replace head :unprocessable_entity in send_message with logging and
  Sentry.capture_exception so notification failures never affect the
  HTTP response back to Slack
@JuanVqz JuanVqz mentioned this pull request Mar 6, 2026
Open
@JuanVqz
Copy link
Member Author

JuanVqz commented Mar 6, 2026

Superseded by #71 which addresses this and three other related bugs with a more robust design.

@JuanVqz JuanVqz closed this Mar 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JuanVqz