Isolate XSRF Token handling to session service

3c1764df · Randall Leeds · b47b6bd0 · 3c1764df · 3c1764df
Commit 3c1764df authored Oct 03, 2014 by Randall Leeds
Show whitespace changes
Inline Side-by-side

Showing with 40 additions and 47 deletions

auth.coffee h/static/scripts/auth/auth.coffee +25 -36

session-service.coffee h/static/scripts/auth/session-service.coffee +15 -11

No files found.
--- a/h/static/scripts/auth/auth.coffee
+++ b/h/static/scripts/auth/auth.coffee
@@ -5,22 +5,11 @@ imports = [
 ]
-configure = ['$httpProvider', 'identityProvider', ($httpProvider, identityProvider) ->
+configure = [
-  defaults = $httpProvider.defaults
+  '$httpProvider', 'identityProvider',
+  ($httpProvider,   identityProvider) ->
    # Use the Pyramid XSRF header name
-  defaults.xsrfHeaderName = 'X-CSRF-Token'
+    $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token'
-  $httpProvider.interceptors.push ['documentHelpers', (documentHelpers) ->
-    request: (config) ->
-      endpoint = documentHelpers.absoluteURI('/app')
-      if config.url.indexOf(endpoint) == 0
-        # Set the cross site request forgery token
-        cookieName = config.xsrfCookieName || defaults.xsrfCookieName
-        headerName = config.xsrfHeaderName || defaults.xsrfHeaderName
-        config.headers[headerName] ?= csrfToken
-      config
-  ]
    identityProvider.checkAuthorization = [
      'session',

--- a/h/static/scripts/auth/session-service.coffee
+++ b/h/static/scripts/auth/session-service.coffee
@@ -21,12 +21,6 @@ for action in ACTION
    withCredentials: true
-# Global because $resource doesn't support request interceptors, so a
-# the default http request interceptor and the session resource interceptor
-# need to share it.
-csrfToken = null
 ###*
 # @ngdoc provider
 # @name sessionProvider
@@ -66,9 +60,20 @@ class SessionProvider
  #   });
  ###
  $get: [
-    '$q', '$resource', 'documentHelpers', 'flash',
+    '$http', '$q', '$resource', 'documentHelpers', 'flash',
-    ($q,   $resource,   documentHelpers,   flash) ->
+    ($http,   $q,   $resource,   documentHelpers,   flash) ->
      actions = {}
+      provider = this
+      # Capture the state of the cross site request forgery token.
+      # If cookies are blocked this is our only way to get it.
+      xsrfToken = null
+      prepare = (data, headersGetter) ->
+        if xsrfToken
+          headers = headersGetter()
+          headers[$http.defaults.xsrfHeaderName] = xsrfToken
+        return angular.toJson data
      process = (data, headersGetter) ->
        # Parse as json
@@ -83,15 +88,14 @@ class SessionProvider
        for q, msgs of data.flash
          flash q, msgs
-        # Capture the cross site request forgery token without cookies.
+        xsrfToken = model.csrf
-        # If cookies are blocked this is our only way to get it.
-        csrfToken = model.certificate
        # Return the model
        model
      for name, options of ACTION_OPTION
        actions[name] = angular.extend {}, options, @options
+        actions[name].transformRequest = prepare
        actions[name].transformResponse = process
      endpoint = documentHelpers.absoluteURI('/app')