Fixes part of #5002: Remove CSRF token from GLOBALS #6951
Conversation
jameesjohn
requested review from
aks681,
ankita240796,
apb7,
DubeySandeep,
kevinlee12,
nithusha21 and
seanlip
as code owners
core/templates/dev/head/App.ts
Outdated
| return { | ||
| request: function(config) { | ||
| if (config.data) { | ||
| config.data = $.param({ | ||
| csrf_token: GLOBALS.csrf_token, | ||
| csrf_token: CsrfService.getToken(), |
There was a problem hiding this comment.
What if this is called before we the request for CSRF finishes? We should return a promise from .getToken() that will resolve only if the token is already available.
There was a problem hiding this comment.
@Jamesjay4199 When you mark a comment as resolved, please always include an explanation (for the benefit of future developers/reviewers). Could you respond to @vojtechjelinek's comment?
There was a problem hiding this comment.
I think this will never be the case because the csrf token is only used for post requests and a post request is only sent based on the user interaction with the page, while the request gets sent much earlier
There was a problem hiding this comment.
It could theoretically happen though (e.g. if the server is overloaded for some reason). What will the user experience in this case, and what should they experience ideally?
There was a problem hiding this comment.
I've refactored it to use a promise.
@vojtechjelinek PTAL
There was a problem hiding this comment.
Why do you need to use jQuery? AngularJS has $q, try to use that for promises if possible.
|
@seanlip PTAL |
| // creates a circular dependency. | ||
| return new Promise(function(resolve, reject) { | ||
| if (token) { | ||
| if (token) { |
There was a problem hiding this comment.
Should we throw an error if no token is set (i.e. initialization has not happened yet)? If you think it's possible for this to be called before initialization, then change the name to getTokenAsync(), and add a test that calls getToken() before initializeToken() and make sure that works correctly. Otherwise, throw an error if token is null and just return the token otherwise; no need to return a promise.
There was a problem hiding this comment.
@seanlip I think we'll still need to return a promise because it is possible that the initialization is not complete when a POST or PUT request is sent so the request will have to wait for the initialization to be complete.
There was a problem hiding this comment.
OK, can you add a test that calls getTokenAsync() before initializeToken() so that we can be sure this works correctly in the case where token initialization has some latency?
There was a problem hiding this comment.
I've done that already here
| } | ||
| ); | ||
|
|
||
| it('should error if getTokenAsync is called before initialization', |
There was a problem hiding this comment.
@seanlip It is tested here.
There was a problem hiding this comment.
I called getTokenAsync without calling initialization
There was a problem hiding this comment.
Wait, I'm confused, sorry. You said earlier:
@seanlip I think we'll still need to return a promise because it is possible that the initialization is not complete when a POST or PUT request is sent so the request will have to wait for the initialization to be complete.
But this test is checking that it throws an error, which seems different from your description.
Also, where does "Token needs to be initialized" come from? I do not see it in core/templates/dev/head/services/CsrfTokenService.ts
There was a problem hiding this comment.
The test checks if getTokenAsync is called without already calling initializeToken.
It throws the error if a call to getTokenAsync was made before initializing the token
| } | ||
| ); | ||
|
|
||
| it('should error if getTokenAsync is called before initialization', |
There was a problem hiding this comment.
The test checks if getTokenAsync is called without already calling initializeToken.
It throws the error if a call to getTokenAsync was made before initializing the token
| if (tokenPromise) { | ||
| return tokenPromise; | ||
| } else { | ||
| throw new Error('Token needs to be initialized'); |
There was a problem hiding this comment.
Also, where does "Token needs to be initialized" come from? I do not see it in core/templates/dev/head/services/CsrfTokenService.ts
@seanlip, Token needs to be initialized comes from here. PTAL
|
Hi @Jamesjay4199. Due to recent changes in the "develop" branch, this PR now has a merge conflict. Please follow this link if you need help resolving the conflict, so that the PR can be merged. Thanks! |
| }, | ||
|
|
||
| getTokenAsync: function() { | ||
| if (token) { |
| resolve(token); | ||
| }); | ||
| } | ||
| if (tokenPromise) { |
There was a problem hiding this comment.
if (tokenPromise !== null)
And, include a line comment just below this line saying "The token initialization request is still pending."
|
Also please note merge conflict and failing Travis tests. |
|
@aks681 PTAL as code owner |
|
Hi @Jamesjay4199. Due to recent changes in the "develop" branch, this PR now has a merge conflict. Please follow this link if you need help resolving the conflict, so that the PR can be merged. Thanks! |
|
@seanlip, I think this is ready to be merged. |
|
Thanks, merging! |
Explanation
Fixes part of #5002: Remove csrf from GLOBALS
Checklist
python scripts/pre_commit_linter.pyandbash scripts/run_frontend_tests.sh.