From c8fbb13e1800620a981ac5235f09e4587fc21d37 Mon Sep 17 00:00:00 2001
From: Shane Tomlinson <stomlinson@mozilla.com>
Date: Wed, 5 Oct 2011 12:38:52 +0100
Subject: [PATCH] Fixing #354 - 'CSRF validation failure on confirmation page'.
Automating the addition of the CSRF token to POST requests.
Testing for CSRF tokens in POST requests in the unit tests.
---
.../dialog/resources/browserid-network.js | 29 ++++++++-----------
.../test/qunit/browserid-network_test.js | 5 ++++
2 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/browserid/static/dialog/resources/browserid-network.js b/browserid/static/dialog/resources/browserid-network.js
index f1da745ee..0cc838236 100644
--- a/browserid/static/dialog/resources/browserid-network.js
+++ b/browserid/static/dialog/resources/browserid-network.js
@@ -80,10 +80,16 @@ BrowserID.Network = (function() {
function post(options) {
withContext(function() {
+ var data = options.data || {};
+
+ if(!data.csrf) {
+ data.csrf = csrf_token;
+ }
+
xhr.ajax({
type: "POST",
url: options.url,
- data: options.data,
+ data: data,
success: options.success,
error: options.error
});
@@ -114,8 +120,7 @@ BrowserID.Network = (function() {
url: "/wsapi/authenticate_user",
data: {
email: email,
- pass: password,
- csrf: csrf_token
+ pass: password
},
success: function(status, textStatus, jqXHR) {
if (onSuccess) {
@@ -164,9 +169,6 @@ BrowserID.Network = (function() {
logout: function(onSuccess) {
post({
url: "/wsapi/logout",
- data: {
- csrf: csrf_token
- },
success: function() {
// assume the logout request is successful and
// log the user out. There is no need to reset the
@@ -192,8 +194,7 @@ BrowserID.Network = (function() {
url: "/wsapi/stage_user",
data: {
email: email,
- site : origin,
- csrf : csrf_token
+ site : origin
},
success: function(status) {
var staged = JSON.parse(status);
@@ -249,7 +250,6 @@ BrowserID.Network = (function() {
post({
url: "/wsapi/complete_user_creation",
data: {
- csrf: csrf_token,
token: token,
pass: password
},
@@ -321,7 +321,6 @@ BrowserID.Network = (function() {
post({
url: "/wsapi/complete_email_addition",
data: {
- csrf: csrf_token,
token: token
},
success: function(status, textStatus, jqXHR) {
@@ -343,7 +342,6 @@ BrowserID.Network = (function() {
cancelUser: function(onSuccess, onFailure) {
post({
url: "/wsapi/account_cancel",
- data: {"csrf": csrf_token},
success: createDeferred(onSuccess),
error: onFailure
});
@@ -362,8 +360,7 @@ BrowserID.Network = (function() {
url: "/wsapi/stage_email",
data: {
email: email,
- site: origin,
- csrf: csrf_token
+ site: origin
},
success: function(status) {
var staged = JSON.parse(status);
@@ -421,8 +418,7 @@ BrowserID.Network = (function() {
post({
url: "/wsapi/remove_email",
data: {
- email: email,
- csrf: csrf_token
+ email: email
},
success: createDeferred(onSuccess),
failure: onFailure
@@ -438,8 +434,7 @@ BrowserID.Network = (function() {
url: "/wsapi/cert_key",
data: {
email: email,
- pubkey: pubkey.serialize(),
- csrf: csrf_token
+ pubkey: pubkey.serialize()
},
success: createDeferred(onSuccess),
error: onError
diff --git a/browserid/static/dialog/test/qunit/browserid-network_test.js b/browserid/static/dialog/test/qunit/browserid-network_test.js
index 55116a806..46560a6f2 100644
--- a/browserid/static/dialog/test/qunit/browserid-network_test.js
+++ b/browserid/static/dialog/test/qunit/browserid-network_test.js
@@ -108,6 +108,11 @@ steal.plugins("jquery", "funcunit/qunit").then("/dialog/resources/browserid-netw
data: obj.data
};
+
+ if(type === "post" && !obj.data.csrf) {
+ ok(false, "missing csrf token on POST request");
+ }
+
var resName = req.type + " " + req.url + " " + xhr.resultType;
var result = xhr.results[resName];
--
GitLab