Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes part of #5002: Remove CSRF token from GLOBALS #6951

Merged
merged 45 commits into from
Jul 2, 2019
Merged

Fixes part of #5002: Remove CSRF token from GLOBALS #6951

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
f117d8a
remove csrf global
jameesjohn Jun 16, 2019
6bbc862
refactor tests
jameesjohn Jun 17, 2019
809e4b3
lint issues
jameesjohn Jun 17, 2019
3a917c3
lint issues
jameesjohn Jun 17, 2019
b7ff267
work on fe tests
jameesjohn Jun 17, 2019
efe0d3c
working on failing tests
jameesjohn Jun 17, 2019
5bd0884
work on e2e tests
jameesjohn Jun 18, 2019
9e5a5e4
minor issue in admin
jameesjohn Jun 18, 2019
427ea8e
address some review comments
jameesjohn Jun 18, 2019
bf83726
work on failing tests
jameesjohn Jun 18, 2019
dfac34f
erroring tests
jameesjohn Jun 18, 2019
f964002
still on tests
jameesjohn Jun 18, 2019
bca6d72
address more review comments
jameesjohn Jun 18, 2019
828e486
still on the test issue
jameesjohn Jun 19, 2019
f9daa2c
fix error
jameesjohn Jun 19, 2019
b975bfd
still on tests
jameesjohn Jun 19, 2019
a198edf
Merge branch 'develop' of https://github.com/oppia/oppia into csrf-gl…
jameesjohn Jun 21, 2019
6510b39
work on erroring tests
jameesjohn Jun 21, 2019
261a101
still on failing tests
jameesjohn Jun 21, 2019
def2e12
address review comments
jameesjohn Jun 22, 2019
496c7a4
Merge branch 'develop' of https://github.com/oppia/oppia into csrf-gl…
jameesjohn Jun 22, 2019
ab95746
address review comment
jameesjohn Jun 22, 2019
e42f68c
address review comment and working on tests
jameesjohn Jun 23, 2019
f7c50c8
address review comment
jameesjohn Jun 23, 2019
c102738
work on failing tests
jameesjohn Jun 25, 2019
0eac0d7
Merge branch 'develop' of https://github.com/oppia/oppia into csrf-gl…
jameesjohn Jun 25, 2019
30a6694
remove csrf from other pages
jameesjohn Jun 25, 2019
1885acc
fix lint issue
jameesjohn Jun 25, 2019
99c76ff
work on failing tests
jameesjohn Jun 25, 2019
cbe194b
use promises in csrf token
jameesjohn Jun 26, 2019
8a05062
refactor to use jQuery
jameesjohn Jun 26, 2019
65017af
Address review comments.
jameesjohn Jun 26, 2019
5eee0c3
remove unnecessary imports from base.ts
jameesjohn Jun 26, 2019
ce810e2
work on failing FE test
jameesjohn Jun 27, 2019
299b45e
fix failing tests
jameesjohn Jun 27, 2019
997257b
address review comments
jameesjohn Jun 28, 2019
4127098
work on FE tests
jameesjohn Jun 28, 2019
19cd171
work on failing test
jameesjohn Jun 28, 2019
aa3010b
refactor based on test
jameesjohn Jun 28, 2019
f1ec691
address review comments
jameesjohn Jun 28, 2019
b143909
Merge branch 'develop' of https://github.com/oppia/oppia into csrf-gl…
jameesjohn Jun 29, 2019
ffc26b1
address review comments and fix failing Travis test
jameesjohn Jun 29, 2019
493a049
work on failing tests
jameesjohn Jun 29, 2019
cee7068
Merge branch 'develop' of https://github.com/oppia/oppia into csrf-gl…
jameesjohn Jul 1, 2019
79bc7a0
work on fe tests
jameesjohn Jul 1, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
address review comments
  • Loading branch information
@jameesjohn
jameesjohn committed Jun 28, 2019
commit 997257bff5c669800b4eba71c086652a55ce27f1
2 changes: 1 addition & 1 deletion core/templates/dev/head/pages/Base.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ oppia.controller('Base', [

$scope.isBackgroundMaskActive = BackgroundMaskService.isMaskActive;

CsrfTokenService.getToken();
CsrfTokenService.initializeToken();

// Listener function to catch the change in language preference.
$rootScope.$on('$translateChangeSuccess', function(evt, response) {
Expand Down
2 changes: 1 addition & 1 deletion core/templates/dev/head/pages/admin-page/admin-page.directive.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ oppia.directive('adminPage', ['UrlInterpolationService',
ctrl.isRolesTabOpen = AdminRouterService.isRolesTabOpen;
ctrl.isMiscTabOpen = AdminRouterService.isMiscTabOpen;

CsrfTokenService.getToken();
CsrfTokenService.initializeToken();

ctrl.setStatusMessage = function(statusMessage) {
ctrl.statusMessage = statusMessage;
Expand Down
52 changes: 29 additions & 23 deletions core/templates/dev/head/services/CsrfTokenService.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,33 +18,39 @@

oppia.factory('CsrfTokenService', [function() {
vojtechjelinek marked this conversation as resolved.
Show resolved Hide resolved
var token = null;
var tokenPromise = null;

return {
setToken: function(csrfToken) {
token = csrfToken;
initializeToken: function() {
if (token !== null) {
throw Error('Token already set');
}
tokenPromise = new Promise(function(resolve, reject) {
// We use jQuery here instead of Angular's $http, since the latter
// creates a circular dependency.
$.ajax({
url: '/csrfhandler',
type: 'GET',
dataType: 'text',
dataFilter: function(data) {
// Remove the XSSI prefix.
var transformedData = data.substring(5);
return JSON.parse(transformedData);
},
}).done(function(response) {
token = response.token;
resolve(response.token);
});
});
},

getToken: function() {
Copy link
Member

@seanlip seanlip Jun 28, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we be guarding against the CSRF token being fetched more than once by a page? Perhaps you should have the following methods:

  • initializeToken() -- can only be called once, throws error if called when token is not null
  • getToken() -- retrieves the current token, throws error if no token is set.

Also, do you actually need setToken()?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.
I've removed setToken since it is no longer needed.

// We use jQuery here instead of Angular's $http, since the latter
// creates a circular dependency.
return new Promise(function(resolve, reject) {
if (token) {
if (token) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we throw an error if no token is set (i.e. initialization has not happened yet)? If you think it's possible for this to be called before initialization, then change the name to getTokenAsync(), and add a test that calls getToken() before initializeToken() and make sure that works correctly. Otherwise, throw an error if token is null and just return the token otherwise; no need to return a promise.

Copy link
Contributor Author

@jameesjohn jameesjohn Jun 28, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@seanlip I think we'll still need to return a promise because it is possible that the initialization is not complete when a POST or PUT request is sent so the request will have to wait for the initialization to be complete.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done PTAL

Copy link
Member

@seanlip seanlip Jun 28, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, can you add a test that calls getTokenAsync() before initializeToken() so that we can be sure this works correctly in the case where token initialization has some latency?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've done that already here

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if (token !== null)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

return new Promise(function(resolve, reject) {
resolve(token);
} else {
// Fetch token if it isn't already available.
$.ajax({
url: '/csrfhandler',
type: 'GET',
dataType: 'text',
dataFilter: function(data) {
// Remove the XSSI prefix.
var transformedData = data.substring(5);
return JSON.parse(transformedData);
},
}).done(function(response) {
token = response.token;
resolve(response.token);
});
}
});
});
}
return tokenPromise;
}
};
}]);
22 changes: 19 additions & 3 deletions core/templates/dev/head/services/CsrfTokenServiceSpec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,31 @@ describe('Csrf Token Service', function() {
var CsrfTokenService, $httpBackend;

beforeEach(angular.mock.module('oppia'));
beforeEach(angular.mock.inject(function($injector) {
beforeEach(angular.mock.inject(function($injector, $q) {
CsrfTokenService = $injector.get('CsrfTokenService');
$httpBackend = $injector.get('$httpBackend');

spyOn($, 'ajax').and.callFake(function() {
var deferred = $q.defer();
deferred.resolve('sample-csrf-token');
return deferred.promise;
});
}));

it('should correctly set the csrf token', function() {
CsrfTokenService.setToken('sample csrf token');
CsrfTokenService.initializeToken();

CsrfTokenService.getToken().then(function(token) {
expect(token).toBe('sample csrf token');
expect(token).toBe('sample-csrf-token');
});
});

it('should error if initialize is called more than once',
function() {
CsrfTokenService.initializeToken();

expect(CsrfTokenService.initializeToken()).toThrowError(
'Token already set');
}
);
});