Don't rely on cookies to provide the csrf token

Angular won't see the cookie value when running from the extension because the app page is served from the extension bundle and is therefore on a different origin than the backend. Similarly, Angular doesn't set the header when making cross-origin requests. Work around the issue by sending the token in responses from the backend and setting the header ourselves.

Don't rely on cookies to provide the csrf token
Angular won't see the cookie value when running from the extension because the app page is served from the extension bundle and is therefore on a different origin than the backend. Similarly, Angular doesn't set the header when making cross-origin requests. Work around the issue by sending the token in responses from the backend and setting the header ourselves.
cba2320b · Randall Leeds · b17d4dce · cba2320b · cba2320b
Commit cba2320b authored May 27, 2014 by Randall Leeds
Hide whitespace changes
Inline Side-by-side

Showing with 37 additions and 9 deletions

app.coffee h/js/app.coffee +3 -9

csrf.coffee h/js/csrf.coffee +34 -0

No files found.
--- a/h/js/app.coffee
+++ b/h/js/app.coffee
@@ -2,6 +2,7 @@ imports = [
  'bootstrap'
  'ngAnimate'
  'ngRoute'
+  'h.csrf'
  'h.controllers'
  'h.directives'
  'h.app_directives'
@@ -14,15 +15,8 @@ imports = [
 configure = [
-  '$httpProvider', '$locationProvider', '$provide', '$routeProvider',
+  '$locationProvider', '$provide', '$routeProvider', '$sceDelegateProvider',
-  '$sceDelegateProvider',
+  ($locationProvider,   $provide,   $routeProvider,   $sceDelegateProvider) ->
-  (
-   $httpProvider,   $locationProvider,   $provide,   $routeProvider,
-   $sceDelegateProvider,
-  ) ->
-    # Use the Pyramid XSRF header name
-    $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token'
    $locationProvider.html5Mode(true)
    # Disable annotating while drafting

--- a/h/js/csrf.coffee
+++ b/h/js/csrf.coffee
+configure = ['$httpProvider', ($httpProvider) ->
+  # Use the Pyramid XSRF header name
+  $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token'
+  # Track the token with an interceptor because the cookies will not be
+  # available on extension requests due to cross-origin restrictions.
+  $httpProvider.interceptors.push ['baseURI', (baseURI) ->
+    defaults = $httpProvider.defaults
+    token = null
+    _getToken = (response) ->
+      data = response.data
+      format = response.headers 'content-type'
+      if format?.match /^application\/json/
+        if data.csrf?
+          token = data.csrf
+          delete data.csrf
+      response
+    _setToken = (config) ->
+      if config.url.match(baseURI)?.index == 0
+        cookieName = config.xsrfCookieName || defaults.xsrfCookieName
+        headerName = config.xsrfHeaderName || defaults.xsrfHeaderName
+        config.headers[headerName] ?= token
+      config
+    request: _setToken
+    response: _getToken
+    responseError: _getToken
+  ]
+]
+angular.module('h.csrf', ['h.helpers'], configure)