Hi there.
We've just started using Canvas LMS as an internal training system and LTI integration development platform. We're running the Production Start Guide version, with code pulled from Canvas' github, tag release/2020-12-16.47.
We're hitting the exact same issue as sdtriathlete, in that custom javascript files in themes are not served by the file download controller and receive instead a 422 error code, along with CSRF-related failures in production.log.
This seems to be a regression from a (much earlier) fix for the exact same issue (see commit at https://github.com/instructure/canvas-lms/commit/c18b389a70fd227b3d61a82356316f2481ae5006).
The files_controller.rb code that was targeted in the above commit has been refactored since, and seems to have introduced that regression?
We intended to use javascript to customise the login page to show a button to direct users to our SSO provider rather than an Apache redirect, which is what we'll have to do for now.
Can Canvas at least point us in the direction of a possible patch (we're not ruby experts, unfortunately)?
Much appreciated!
Jean-François Poirier
X2O Media Inc.
