After regular user logs out admin gets CSRF Error when logging in

[fthobe]

Solidus Version:
4.4

To Reproduce
Log-in / register a regular user, log-out and try to login in as an admin via backend.
The only way to login in without error now is either using the front-end or clean cache and cookies.

Current behavior
CSRF Error

Expected behavior
Flawless login

Screenshots

Desktop (please complete the following information):

• OS: MacOS latest
• Browser Chrome
• Version Version 133.0.6943.142 (Official Build) (arm64)

Smartphone (please complete the following information):
Untested

ActionController::InvalidAuthenticityToken in Spree::Admin::UserSessionsController#create
Can't verify CSRF token authenticity.
Extracted source (around line #312):
310
311
312
313
314
315
              

        def handle_unverified_request
          raise ActionController::InvalidAuthenticityToken, warning_message
        end
      end
    end

Rails.root: /home/[removed]/[REMOVED]

Application Trace | Framework Trace | Full Trace
actionpack (7.2.2.1) lib/action_controller/metal/request_forgery_protection.rb:312:in `handle_unverified_request'
actionpack (7.2.2.1) lib/action_controller/metal/request_forgery_protection.rb:406:in `handle_unverified_request'
devise (4.9.4) lib/devise/controllers/helpers.rb:257:in `handle_unverified_request'
actionpack (7.2.2.1) lib/action_controller/metal/request_forgery_protection.rb:395:in `verify_authenticity_token'
activesupport (7.2.2.1) lib/active_support/callbacks.rb:362:in `block in make_lambda'
activesupport (7.2.2.1) lib/active_support/callbacks.rb:179:in `block in call'
actionpack (7.2.2.1) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
activesupport (7.2.2.1) lib/active_support/callbacks.rb:180:in `call'
activesupport (7.2.2.1) lib/active_support/callbacks.rb:559:in `block in invoke_before'
activesupport (7.2.2.1) lib/active_support/callbacks.rb:559:in `each'
activesupport (7.2.2.1) lib/active_support/callbacks.rb:559:in `invoke_before'
activesupport (7.2.2.1) lib/active_support/callbacks.rb:119:in `block in run_callbacks'
activesupport (7.2.2.1) lib/active_support/callbacks.rb:141:in `run_callbacks'
actionpack (7.2.2.1) lib/abstract_controller/callbacks.rb:260:in `process_action'
actionpack (7.2.2.1) lib/action_controller/metal/rescue.rb:27:in `process_action'
actionpack (7.2.2.1) lib/action_controller/metal/instrumentation.rb:77:in `block in process_action'
activesupport (7.2.2.1) lib/active_support/notifications.rb:210:in `block in instrument'
activesupport (7.2.2.1) lib/active_support/notifications/instrumenter.rb:58:in `instrument'
activesupport (7.2.2.1) lib/active_support/notifications.rb:210:in `instrument'
actionpack (7.2.2.1) lib/action_controller/metal/instrumentation.rb:76:in `process_action'
actionpack (7.2.2.1) lib/action_controller/metal/params_wrapper.rb:259:in `process_action'
activerecord (7.2.2.1) lib/active_record/railties/controller_runtime.rb:39:in `process_action'
actionpack (7.2.2.1) lib/abstract_controller/base.rb:163:in `process'
actionview (7.2.2.1) lib/action_view/rendering.rb:40:in `process'
actionpack (7.2.2.1) lib/action_controller/metal.rb:252:in `dispatch'
actionpack (7.2.2.1) lib/action_controller/metal.rb:335:in `dispatch'
actionpack (7.2.2.1) lib/action_dispatch/routing/route_set.rb:67:in `dispatch'
actionpack (7.2.2.1) lib/action_dispatch/routing/route_set.rb:50:in `serve'
actionpack (7.2.2.1) lib/action_dispatch/routing/mapper.rb:32:in `block in <class:Constraints>'
actionpack (7.2.2.1) lib/action_dispatch/routing/mapper.rb:62:in `serve'
actionpack (7.2.2.1) lib/action_dispatch/journey/router.rb:53:in `block in serve'
actionpack (7.2.2.1) lib/action_dispatch/journey/router.rb:133:in `block in find_routes'
actionpack (7.2.2.1) lib/action_dispatch/journey/router.rb:126:in `each'
actionpack (7.2.2.1) lib/action_dispatch/journey/router.rb:126:in `find_routes'
actionpack (7.2.2.1) lib/action_dispatch/journey/router.rb:34:in `serve'
actionpack (7.2.2.1) lib/action_dispatch/routing/route_set.rb:896:in `call'
railties (7.2.2.1) lib/rails/engine.rb:535:in `call'
railties (7.2.2.1) lib/rails/railtie.rb:226:in `public_send'
railties (7.2.2.1) lib/rails/railtie.rb:226:in `method_missing'
actionpack (7.2.2.1) lib/action_dispatch/routing/mapper.rb:33:in `block in <class:Constraints>'
actionpack (7.2.2.1) lib/action_dispatch/routing/mapper.rb:62:in `serve'
actionpack (7.2.2.1) lib/action_dispatch/journey/router.rb:53:in `block in serve'
actionpack (7.2.2.1) lib/action_dispatch/journey/router.rb:133:in `block in find_routes'
actionpack (7.2.2.1) lib/action_dispatch/journey/router.rb:126:in `each'
actionpack (7.2.2.1) lib/action_dispatch/journey/router.rb:126:in `find_routes'
actionpack (7.2.2.1) lib/action_dispatch/journey/router.rb:34:in `serve'
actionpack (7.2.2.1) lib/action_dispatch/routing/route_set.rb:896:in `call'
omniauth (2.1.2) lib/omniauth/strategy.rb:202:in `call!'
omniauth (2.1.2) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.1.2) lib/omniauth/strategy.rb:202:in `call!'
omniauth (2.1.2) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.1.2) lib/omniauth/strategy.rb:202:in `call!'
omniauth (2.1.2) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.1.2) lib/omniauth/strategy.rb:202:in `call!'
omniauth (2.1.2) lib/omniauth/strategy.rb:169:in `call'
actionpack (7.2.2.1) lib/action_dispatch/middleware/static.rb:27:in `call'
warden (1.2.9) lib/warden/manager.rb:36:in `block in call'
warden (1.2.9) lib/warden/manager.rb:34:in `catch'
warden (1.2.9) lib/warden/manager.rb:34:in `call'
rack (3.1.8) lib/rack/tempfile_reaper.rb:20:in `call'
rack (3.1.8) lib/rack/etag.rb:29:in `call'
rack (3.1.8) lib/rack/conditional_get.rb:43:in `call'
rack (3.1.8) lib/rack/head.rb:15:in `call'
actionpack (7.2.2.1) lib/action_dispatch/http/permissions_policy.rb:38:in `call'
actionpack (7.2.2.1) lib/action_dispatch/http/content_security_policy.rb:38:in `call'
rack-session (2.1.0) lib/rack/session/abstract/id.rb:274:in `context'
rack-session (2.1.0) lib/rack/session/abstract/id.rb:268:in `call'
actionpack (7.2.2.1) lib/action_dispatch/middleware/cookies.rb:704:in `call'
activerecord (7.2.2.1) lib/active_record/migration.rb:674:in `call'
actionpack (7.2.2.1) lib/action_dispatch/middleware/callbacks.rb:31:in `block in call'
activesupport (7.2.2.1) lib/active_support/callbacks.rb:101:in `run_callbacks'
actionpack (7.2.2.1) lib/action_dispatch/middleware/callbacks.rb:30:in `call'
actionpack (7.2.2.1) lib/action_dispatch/middleware/executor.rb:16:in `call'
actionpack (7.2.2.1) lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
actionpack (7.2.2.1) lib/action_dispatch/middleware/debug_exceptions.rb:31:in `call'
web-console (4.2.1) lib/web_console/middleware.rb:132:in `call_app'
web-console (4.2.1) lib/web_console/middleware.rb:19:in `block in call'
web-console (4.2.1) lib/web_console/middleware.rb:17:in `catch'
web-console (4.2.1) lib/web_console/middleware.rb:17:in `call'
actionpack (7.2.2.1) lib/action_dispatch/middleware/show_exceptions.rb:32:in `call'
railties (7.2.2.1) lib/rails/rack/logger.rb:41:in `call_app'
railties (7.2.2.1) lib/rails/rack/logger.rb:29:in `call'
sprockets-rails (3.5.2) lib/sprockets/rails/quiet_assets.rb:17:in `call'
actionpack (7.2.2.1) lib/action_dispatch/middleware/remote_ip.rb:96:in `call'
actionpack (7.2.2.1) lib/action_dispatch/middleware/request_id.rb:33:in `call'
rack (3.1.8) lib/rack/method_override.rb:28:in `call'
rack (3.1.8) lib/rack/runtime.rb:24:in `call'
activesupport (7.2.2.1) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
actionpack (7.2.2.1) lib/action_dispatch/middleware/server_timing.rb:61:in `block in call'
actionpack (7.2.2.1) lib/action_dispatch/middleware/server_timing.rb:26:in `collect_events'
actionpack (7.2.2.1) lib/action_dispatch/middleware/server_timing.rb:60:in `call'
actionpack (7.2.2.1) lib/action_dispatch/middleware/executor.rb:16:in `call'
actionpack (7.2.2.1) lib/action_dispatch/middleware/static.rb:27:in `call'
rack (3.1.8) lib/rack/sendfile.rb:114:in `call'
actionpack (7.2.2.1) lib/action_dispatch/middleware/host_authorization.rb:143:in `call'
railties (7.2.2.1) lib/rails/engine.rb:535:in `call'
puma (6.5.0) lib/puma/configuration.rb:279:in `call'
puma (6.5.0) lib/puma/request.rb:99:in `block in handle_request'
puma (6.5.0) lib/puma/thread_pool.rb:389:in `with_force_shutdown'
puma (6.5.0) lib/puma/request.rb:98:in `handle_request'
puma (6.5.0) lib/puma/server.rb:468:in `process_client'
puma (6.5.0) lib/puma/server.rb:249:in `block in run'
puma (6.5.0) lib/puma/thread_pool.rb:166:in `block in spawn_thread'
Request
Parameters:

{"authenticity_token"=>"[FILTERED]", "spree_user"=>{"email"=>"[FILTERED]", "password"=>"[FILTERED]", "remember_me"=>"0"}, "commit"=>"Login"}
Toggle session dump
_csrf_token: "E9954eSZlbMt15Nzyn4Hh8-8RR3nKC50VzZw6M4HOB4"
locale: "en"
session_id: "4af8a546a88ad73556c805d0f5158e48"
spree_user_return_to: "/admin/stores"
Toggle env dump
GATEWAY_INTERFACE: "CGI/1.2"
HTTP_ACCEPT: "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
HTTP_ACCEPT_ENCODING: "gzip, deflate, br, zstd"
HTTP_ACCEPT_LANGUAGE: "en-US,en;q=0.9,de;q=0.8,it;q=0.7"
HTTP_CACHE_CONTROL: "max-age=0"
HTTP_CLIENT_IP: "10.0.0.101"
HTTP_ORIGIN: "[removed]"
HTTP_VERSION: "HTTP/1.0"
HTTP_X_FORWARDED_FOR: "10.0.0.101"
ORIGINAL_SCRIPT_NAME: ""
REMOTE_ADDR: "127.0.0.1"
SERVER_NAME: "[removed]"
SERVER_PROTOCOL: "HTTP/1.0"
Response
Headers:

None

[fthobe]

@tvdeyen @jarednorman @kennyadsl
is this something to be worried about?

[tvdeyen]

@tvdeyen @jarednorman @kennyadsl is this something to be worried about?

No, nothing to worry as this only happens to people with multiple accounts and different role sets (non-admin vs. admin). Regular people mostly don't have such accounts. And even if, it is easily solved by clearing the cache as you described. Nevertheless this is an annoying bug that we happy accept fixes for.

[fthobe]

ok so let's leave this open.

[jarednorman]

I am surprised that this causes a CSRF error, though.

@tvdeyen do you understand why that is?

[fthobe]

I am surprised that this causes a CSRF error, though.

Session residuals in the browser probably.

It points me back to the discussion to split user and admin sessions. Also looking at the state of devise we should all consider maybe moving this to discussions (@jarednorman I am not having a stroke). Maybe the day has come that devise does not serve us well anymore.

[fthobe]

@jarednorman can you move this to a discussion?

[jarednorman]

Well isn't that something.