You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The system spec Reset password (person) > When user uses form to change password > fills out the form, submits, and stays logged in intermittently fails in CI:
Failure/Error: expect(page).to have_current_path(root_path)
expected "/users/sign_in" to equal "/"
After submitting the password change form, the user sometimes ends up at /users/sign_in instead of /, indicating the session was lost during the form submission.
Root cause
The password change form submits via Turbo Drive (fetch API). After bypass_sign_in updates the session and the server sends a 303 redirect, there's a race condition where the browser may not process the Set-Cookie header from the redirect response before Turbo's follow-up GET request, causing it to carry a stale session cookie with a mismatched authenticatable_salt.
Approaches tried (not acceptable)
data-turbo="false" on the form (Fix flaky reset password test with custom Turbo Stream visit action #1474, earlier commits) — disabling Turbo on the form also disables it for all descendant elements, breaking data-turbo-method and data-turbo-confirm on the "Log out and reset it." link inside the form.
Custom Turbo Stream visit action (Fix flaky reset password test with custom Turbo Stream visit action #1474, later commits) — a turbo_stream_visit(url) helper that responds with a 200 containing a <turbo-stream action="visit"> tag, separating session update from navigation. This works but adds infrastructure (custom stream action in JS + helper in ApplicationController) that feels heavyweight for this one case.
Help wanted
We're open to suggestions for a cleaner fix. The solution should:
Keep Turbo enabled on the form (no data-turbo="false")
Not require custom Turbo Stream infrastructure
Reliably ensure the session cookie is set before the post-redirect navigation
Problem
The system spec
Reset password (person) > When user uses form to change password > fills out the form, submits, and stays logged inintermittently fails in CI:After submitting the password change form, the user sometimes ends up at
/users/sign_ininstead of/, indicating the session was lost during the form submission.Root cause
The password change form submits via Turbo Drive (fetch API). After
bypass_sign_inupdates the session and the server sends a 303 redirect, there's a race condition where the browser may not process theSet-Cookieheader from the redirect response before Turbo's follow-up GET request, causing it to carry a stale session cookie with a mismatchedauthenticatable_salt.Approaches tried (not acceptable)
data-turbo="false"on the form (Fix flaky reset password test with custom Turbo Stream visit action #1474, earlier commits) — disabling Turbo on the form also disables it for all descendant elements, breakingdata-turbo-methodanddata-turbo-confirmon the "Log out and reset it." link inside the form.Custom Turbo Stream
visitaction (Fix flaky reset password test with custom Turbo Stream visit action #1474, later commits) — aturbo_stream_visit(url)helper that responds with a 200 containing a<turbo-stream action="visit">tag, separating session update from navigation. This works but adds infrastructure (custom stream action in JS + helper in ApplicationController) that feels heavyweight for this one case.Help wanted
We're open to suggestions for a cleaner fix. The solution should:
data-turbo="false")