From f93964f297a6e3b17e9d64523103e743176d89ff Mon Sep 17 00:00:00 2001
From: Brian Warner <warner@lothar.com>
Date: Mon, 9 Jul 2012 17:12:36 -0700
Subject: [PATCH] wsapi cleanup: flatten control flow a little bit

---
 lib/wsapi.js | 93 +++++++++++++++++++++++++++-------------------------
 1 file changed, 48 insertions(+), 45 deletions(-)

diff --git a/lib/wsapi.js b/lib/wsapi.js
index d17083853..68fd53a3a 100644
--- a/lib/wsapi.js
+++ b/lib/wsapi.js
@@ -99,21 +99,25 @@ function authenticateSession(session, uid, level, duration_ms) {
 
 function checkCSRF(req, resp, next) {
   // only on POSTs
-  if (req.method === "POST") {
-    if (req.session === undefined || typeof req.session.csrf !== 'string') { // there must be a session
-      logger.warn("POST calls to /wsapi require a cookie to be sent, this user may have cookies disabled");
-      return httputils.forbidden(resp, "no cookie");
-    }
+  if (req.method !== "POST")
+    return next();
 
-    // and the token must match what is sent in the post body
-    else if (!req.body || !req.session || !req.session.csrf || req.body.csrf != req.session.csrf) {
-      // if any of these things are false, then we'll block the request
-      var b = req.body ? req.body.csrf : "<none>";
-      var s = req.session ? req.session.csrf : "<none>";
-      logger.warn("CSRF validation failure, token mismatch. got:" + b + " want:" + s);
-      return httputils.badRequest(resp, "CSRF violation");
-    }
+  // there must be a session
+  if (req.session === undefined || typeof req.session.csrf !== 'string') {
+    logger.warn("POST calls to /wsapi require a cookie to be sent, this user may have cookies disabled");
+    return httputils.forbidden(resp, "no cookie");
+  }
+
+  // and the token must match what is sent in the post body
+  if (!req.body || !req.session || !req.session.csrf || req.body.csrf != req.session.csrf) {
+    // if any of these things are false, then we'll block the request
+    var b = req.body ? req.body.csrf : "<none>";
+    var s = req.session ? req.session.csrf : "<none>";
+    logger.warn("CSRF validation failure, token mismatch. got:" + b + " want:" + s);
+    return httputils.badRequest(resp, "CSRF violation");
   }
+
+  // all good
   next();
 }
 
@@ -197,45 +201,44 @@ exports.setup = function(options, app) {
     // by layers higher up based on cache control headers.
     // the fallout is that all code that interacts with sessions
     // should be under /wsapi
-    if (purl.pathname.substr(0, WSAPI_PREFIX.length) === WSAPI_PREFIX) {
-      // explicitly disallow caching on all /wsapi calls (issue #294)
-      resp.setHeader('Cache-Control', 'no-cache, max-age=0');
+    if (purl.pathname.substr(0, WSAPI_PREFIX.length) !== WSAPI_PREFIX)
+      return next();
 
-      // we set this parameter so the connect-cookie-session
-      // sends the cookie even though the local connection is HTTP
-      // (the load balancer does SSL)
-      if (overSSL)
-        req.connection.proxySecure = true;
+    // explicitly disallow caching on all /wsapi calls (issue #294)
+    resp.setHeader('Cache-Control', 'no-cache, max-age=0');
 
-      const operation = purl.pathname.substr(WSAPI_PREFIX.length);
+    // we set this parameter so the connect-cookie-session
+    // sends the cookie even though the local connection is HTTP
+    // (the load balancer does SSL)
+    if (overSSL)
+      req.connection.proxySecure = true;
 
-      // count the number of WSAPI operation
-      statsd.increment("wsapi." + operation);
-
-      // check to see if the api is known here, before spending more time with
-      // the request.
-      if (!wsapis.hasOwnProperty(operation) ||
-          wsapis[operation].method.toLowerCase() !== req.method.toLowerCase())
-      {
-        // if the fake verification api is enabled (for load testing),
-        // then let this request fall through
-        if (operation !== 'fake_verification' || !process.env['BROWSERID_FAKE_VERIFICATION'])
-          return httputils.badRequest(resp, "no such api");
-      }
+    const operation = purl.pathname.substr(WSAPI_PREFIX.length);
+
+    // count the number of WSAPI operation
+    statsd.increment("wsapi." + operation);
+
+    // check to see if the api is known here, before spending more time with
+    // the request.
+    if (!wsapis.hasOwnProperty(operation) ||
+        wsapis[operation].method.toLowerCase() !== req.method.toLowerCase())
+    {
+      // if the fake verification api is enabled (for load testing),
+      // then let this request fall through
+      if (operation !== 'fake_verification' || !process.env['BROWSERID_FAKE_VERIFICATION'])
+        return httputils.badRequest(resp, "no such api");
+    }
 
-      // perform full parsing and validation
-      return cookieParser(req, resp, function() {
-        bodyParser(req, resp, function() {
-          cookieSessionMiddleware(req, resp, function() {
-            checkCSRF(req, resp, function() {
-              return next();
-            });
+    // perform full parsing and validation
+    return cookieParser(req, resp, function() {
+      bodyParser(req, resp, function() {
+        cookieSessionMiddleware(req, resp, function() {
+          checkCSRF(req, resp, function() {
+            return next();
           });
         });
       });
-    } else {
-      return next();
-    }
+    });
   });
 
   // load all of the APIs supported by this process
-- 
GitLab