From e58cdf40bb7b9334c638089dfd7b2a1c3b329e47 Mon Sep 17 00:00:00 2001 From: Shrikant Sharat Kandula Date: Sun, 25 Dec 2022 11:31:51 +0530 Subject: [PATCH] fix: Logout user, if session deserialization fails (#19188) We handle this in the global error handler, looking for the error message that indicates this cause, and include a cookie deletion header, so the user can recover by logging in again. Signed-off-by: Shrikant Sharat Kandula --- .../AppSmithErrorWebExceptionHandler.java | 29 ++++++++++++++++--- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/app/server/appsmith-server/src/main/java/com/appsmith/server/exceptions/AppSmithErrorWebExceptionHandler.java b/app/server/appsmith-server/src/main/java/com/appsmith/server/exceptions/AppSmithErrorWebExceptionHandler.java index ef7a211e9c..22dd5d97a5 100644 --- a/app/server/appsmith-server/src/main/java/com/appsmith/server/exceptions/AppSmithErrorWebExceptionHandler.java +++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/exceptions/AppSmithErrorWebExceptionHandler.java @@ -12,6 +12,7 @@ import org.springframework.boot.web.reactive.error.ErrorAttributes; import org.springframework.context.ApplicationContext; import org.springframework.core.annotation.Order; import org.springframework.http.MediaType; +import org.springframework.http.ResponseCookie; import org.springframework.http.codec.ServerCodecConfigurer; import org.springframework.stereotype.Component; import org.springframework.web.reactive.function.BodyInserters; @@ -31,6 +32,10 @@ import static org.springframework.web.reactive.function.server.RouterFunctions.r @Component @Order(-2) public class AppSmithErrorWebExceptionHandler extends DefaultErrorWebExceptionHandler { + + public static final String DESERIALIZATION_ERROR_MESSAGE = + "Failed to deserialize payload. Is the byte array a result of corresponding serialization for DefaultDeserializer"; + @Autowired public AppSmithErrorWebExceptionHandler(ErrorAttributes errorAttributes, WebProperties webProperties, ServerProperties serverProperties, ApplicationContext applicationContext, @@ -52,9 +57,25 @@ public class AppSmithErrorWebExceptionHandler extends DefaultErrorWebExceptionHa Map error = getErrorAttributes(request, ErrorAttributeOptions.of(ErrorAttributeOptions.Include.STACK_TRACE)); int errorCode = getHttpStatus(error); - return ServerResponse.status(errorCode). - contentType(MediaType.APPLICATION_JSON). - body(BodyInserters. - fromValue(new ResponseDTO<>(errorCode, new ErrorDTO(errorCode, String.valueOf(error.get("error")))))); + ServerResponse.BodyBuilder responseBuilder = ServerResponse.status(errorCode) + .contentType(MediaType.APPLICATION_JSON); + + if (errorCode == 500 && String.valueOf(error.get("trace")).contains(DESERIALIZATION_ERROR_MESSAGE)) { + // If the error is regarding a deserialization error in the session data, then the user is essentially locked out. + // They have to use a different browser, or Incognito, or clear their cookies to get back in. So, we'll delete + // the SESSION cookie here, so that the user gets sent back to the Login page, and they can unblock themselves. + responseBuilder = responseBuilder.cookie( + ResponseCookie.from("SESSION", "") + .httpOnly(true) + .path("/") + .maxAge(0) + .build() + ); + } + + return responseBuilder.body( + BodyInserters + .fromValue(new ResponseDTO<>(errorCode, new ErrorDTO(errorCode, String.valueOf(error.get("error"))))) + ); } }