Rails JS链接在控制器上处理了两次

Question

Seeing some strange behavior in an app I'm coding. I have an index page that shows a list of records. If I create a new record, it is inserted into the DB and then the user is redirected to the index page which now shows the new record. Each record has some AJAX voting links. When the user clicks a voting link on the new item, I see the request processed twice by the controller with two different IP addresses...also, I am storing a UUID in a permanent cookie for each user, and the second request from the second IP address shows a different UUID than the current user.

I've only seen the problem at my friend's office, so I don't know if it is because of their messed up network or something (corporate network with proxies/firewalls/etc... which I'm told is poorly managed). I think it's bizarre that it only happens on new records, and not when clicking a voting link (which uses the same exact code) on pre-existing records...

Here's the log showing the controller response - note one response is processed as JS and the second as */* :

Started GET "/vote/14?vote_value=-1" for <company's external IP> at 2014-07-02 16:31:41 -0400
Processing by FoosController#voting as JS
  Parameters: {"vote_value"=>"-1", "foo_id"=>"14"}
  Foo Load (0.7ms)  SELECT "food".* FROM "food" WHERE "food"."id" = $1 ORDER BY created_at DESC LIMIT 1  [["id", "14"]]
   (0.3ms)  BEGIN
  SQL (0.8ms)  INSERT INTO "votes" ("created_at", "updated_at", "uuid", "value", "foo_id") VALUES ($1, $2, $3, $4, $5) RETURNING "id"  [["created_at", Wed, 02 Jul 2014 20:31:41 UTC +00:00], ["updated_at", Wed, 02 Jul 2014 20:31:41 UTC +00:00], ["uuid", "61230391-311a-4358-9c4b-665d2a8bc8e9"], ["value", -1], ["foo_id", 14]]
   (2.0ms)  COMMIT
   (0.2ms)  BEGIN
   (0.3ms)  COMMIT
  Rendered foo/voting.js.erb (0.1ms)
Completed 200 OK in 14ms (Views: 2.2ms | ActiveRecord: 4.3ms)


Started GET "/vote/14?vote_value=-1" for <different unrecognized IP> at 2014-07-02 16:31:41 -0400
Processing by FoosController#voting as */*
  Parameters: {"vote_value"=>"-1", "foo_id"=>"14"}
  Foo Load (0.6ms)  SELECT "food".* FROM "food" WHERE "food"."id" = $1 ORDER BY created_at DESC LIMIT 1  [["id", "14"]]
   (0.3ms)  BEGIN
  SQL (0.7ms)  INSERT INTO "votes" ("created_at", "updated_at", "uuid", "value", "foo_id") VALUES ($1, $2, $3, $4, $5) RETURNING "id"  [["created_at", Wed, 02 Jul 2014 20:31:41 UTC +00:00], ["updated_at", Wed, 02 Jul 2014 20:31:41 UTC +00:00], ["uuid", "b8a23470-9f9f-4a65-8577-7da7e31a6995"], ["value", -1], ["foo_id", 14]]
   (1.7ms)  COMMIT
   (0.1ms)  BEGIN
   (0.1ms)  COMMIT
  Rendered foo/voting.js.erb (0.2ms)
Completed 200 OK in 13ms (Views: 2.4ms | ActiveRecord: 3.5ms)

Here's the partial for the records that includes the AJAX links:

<div class="foo" id="foo-<%= foo.id %>">
  <div class="voting">
    <span id="foo-<%= foo.id %>-score"><%= foo.score %></span>
    <div class="voting-links" id="foo-<%= foo.id %>-voting-links">
      <%= link_to 'UP', voting_path(foo.id, vote_value: 1), remote: true %> /
      <%= link_to 'DOWN', voting_path(foo.id, vote_value: -1), remote: true %>
    </div>
  </div>

  <div class="foo-content" id="foo-<%= foo.id %>-content">
     <%= foo.content %>
  </div>
</div>

Here's my controller action:

def voting
    @foo = Foo.find(params[:foo_id])

    vote = @foo.votes.create(uuid: cookies[:user_uuid], value: params[:vote_value])

    @foo.save

    respond_to do |format|
      format.html { redirect_to root_path }
      format.js { render 'voting' }
    end
  end

And the response js.erb file:

score = $('#foo-' + <%= @foo.id %> + '-score');
score.html(<%= @foo.score %>);

Any ideas on how to troubleshoot this or make sure it is not an application issue and is a network issue at this particular site? I haven't been able to reproduce in my office. I used Firebug to check out the request being made from the browser, and it looks like only one request is being sent out. Is this just an issue of a misconfigured gateway/router/firewall etc... reproducing the request somehow? The fact that it is sending over two different UUIDs seems significant, but I can't imagine why it only happens with new entries.

Thanks!

Answer 1

If it comes from one single location then it is not coming from your code. It could be a virus, a badly set-up caching proxy, a web-scanner bot, or anything else.

Defending your code against double entry is a good thing to do, but seems pretty complex. Example: You cannot rely on source IP because of load balancing proxies.

Anyhow there is something you can try (and I think you must do):

1- You are using a GET request, and I see from your log that an INSERT is done in your database. This goes against RESTfull solutions. Only POST request should trigger INSERTs. You should change your code to reflect that, no matter how hard this is

2- Once you have correctly set-up POST request for that action, you must enforce rails to protect against cross-script request by using csrf_meta_tags in your headers, and protect_from_forgery in your controllers.

I do hope this would fix the situation and drop the second request. Just be sure that your test suite is fully covering your code before you start such modifications, because such a deep change may lead to unsuspected result specially with AJAX form or multipart forms.

It's complex and it may be long, but as I see your log now it seems your server is not protected.