Isolate XSRF Token handling to session service

h/static/scripts/auth/auth.coffee

@@ -5,42 +5,31 @@ imports = [
 ]
 
 
-configure = ['$httpProvider', 'identityProvider', ($httpProvider, identityProvider) ->
-  defaults = $httpProvider.defaults
-
-  # Use the Pyramid XSRF header name
-  defaults.xsrfHeaderName = 'X-CSRF-Token'
-
-  $httpProvider.interceptors.push ['documentHelpers', (documentHelpers) ->
-    request: (config) ->
-      endpoint = documentHelpers.absoluteURI('/app')
-      if config.url.indexOf(endpoint) == 0
-        # Set the cross site request forgery token
-        cookieName = config.xsrfCookieName || defaults.xsrfCookieName
-        headerName = config.xsrfHeaderName || defaults.xsrfHeaderName
-        config.headers[headerName] ?= csrfToken
-      config
-  ]
-
-  identityProvider.checkAuthorization = [
-    'session',
-    (session) ->
-      session.load().$promise
-  ]
-
-  identityProvider.forgetAuthorization = [
-    'session',
-    (session) ->
-      session.logout({}).$promise
-  ]
-
-  identityProvider.requestAuthorization = [
-    '$q', '$rootScope',
-    ($q,   $rootScope) ->
-      deferred = $q.defer()
-      $rootScope.$on 'session', (event, data) -> deferred.resolve data
-      deferred.promise
-  ]
+configure = [
+  '$httpProvider', 'identityProvider',
+  ($httpProvider,   identityProvider) ->
+    # Use the Pyramid XSRF header name
+    $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token'
+
+    identityProvider.checkAuthorization = [
+      'session',
+      (session) ->
+        session.load().$promise
+    ]
+
+    identityProvider.forgetAuthorization = [
+      'session',
+      (session) ->
+        session.logout({}).$promise
+    ]
+
+    identityProvider.requestAuthorization = [
+      '$q', '$rootScope',
+      ($q,   $rootScope) ->
+        deferred = $q.defer()
+        $rootScope.$on 'session', (event, data) -> deferred.resolve data
+        deferred.promise
+    ]
 ]
 
 

h/static/scripts/auth/session-service.coffee

@@ -21,12 +21,6 @@ for action in ACTION
     withCredentials: true
 
 
-# Global because $resource doesn't support request interceptors, so a
-# the default http request interceptor and the session resource interceptor
-# need to share it.
-csrfToken = null
-
-
 ###*
 # @ngdoc provider
 # @name sessionProvider
@@ -66,9 +60,20 @@ class SessionProvider
   #   });
   ###
   $get: [
-    '$q', '$resource', 'documentHelpers', 'flash',
-    ($q,   $resource,   documentHelpers,   flash) ->
+    '$http', '$q', '$resource', 'documentHelpers', 'flash',
+    ($http,   $q,   $resource,   documentHelpers,   flash) ->
       actions = {}
+      provider = this
+
+      # Capture the state of the cross site request forgery token.
+      # If cookies are blocked this is our only way to get it.
+      xsrfToken = null
+
+      prepare = (data, headersGetter) ->
+        if xsrfToken
+          headers = headersGetter()
+          headers[$http.defaults.xsrfHeaderName] = xsrfToken
+        return angular.toJson data
 
       process = (data, headersGetter) ->
         # Parse as json
@@ -83,15 +88,14 @@ class SessionProvider
         for q, msgs of data.flash
           flash q, msgs
 
-        # Capture the cross site request forgery token without cookies.
-        # If cookies are blocked this is our only way to get it.
-        csrfToken = model.certificate
+        xsrfToken = model.csrf
 
         # Return the model
         model
 
       for name, options of ACTION_OPTION
         actions[name] = angular.extend {}, options, @options
+        actions[name].transformRequest = prepare
         actions[name].transformResponse = process
 
       endpoint = documentHelpers.absoluteURI('/app')