From 9573bdca55ddc5488066d3af525e41ed1d872ea6 Mon Sep 17 00:00:00 2001
From: NavaL <ayoyo@thoughtworks.com>
Date: Wed, 24 Feb 2016 16:33:20 +0100
Subject: Backend and frontend protection against csrf attacks: - root
 resources changes the csrf token cookie everytime it is loaded, in particular
 during the intestitial load during login - it will also add that cookie on
 single user mode - initialize will still load all resources - but they you
 cant access them if the csrf token do not match - all ajax calls needs to add
 the token to the header - non ajax get requests do not need xsrf token
 validation - non ajax post will have to send the token in as a form input or
 in the content

Issue #612
---
 web-ui/app/js/helpers/browser.js        |  9 ++++++++-
 web-ui/app/js/helpers/monitored_ajax.js | 10 ++++++----
 2 files changed, 14 insertions(+), 5 deletions(-)

(limited to 'web-ui/app/js/helpers')

diff --git a/web-ui/app/js/helpers/browser.js b/web-ui/app/js/helpers/browser.js
index e5be6667..23aa79c8 100644
--- a/web-ui/app/js/helpers/browser.js
+++ b/web-ui/app/js/helpers/browser.js
@@ -23,7 +23,14 @@ define([], function () {
     window.location.replace(url);
   }
 
+  function getCookie(name) {
+    var value = '; ' + document.cookie;
+    var parts = value.split('; ' + name + '=');
+    if (parts.length === 2) return parts.pop().split(';').shift();
+  }
+
   return {
-    redirect: redirect
+    redirect: redirect,
+    getCookie: getCookie
   };
 });
diff --git a/web-ui/app/js/helpers/monitored_ajax.js b/web-ui/app/js/helpers/monitored_ajax.js
index 1cb720de..dc182d58 100644
--- a/web-ui/app/js/helpers/monitored_ajax.js
+++ b/web-ui/app/js/helpers/monitored_ajax.js
@@ -36,6 +36,8 @@ define(['page/events', 'views/i18n', 'helpers/browser'], function (events, i18n,
       }
     };
 
+    config.headers = {'X-XSRF-TOKEN': browser.getCookie('XSRF-TOKEN')};
+
     var originalComplete = config.complete;
     config.complete = function () {
       if (originalComplete) {
@@ -46,15 +48,15 @@ define(['page/events', 'views/i18n', 'helpers/browser'], function (events, i18n,
     return $.ajax(url, config).fail(function (xmlhttprequest, textstatus, message) {
       if (!config.skipErrorMessage) {
         var msg = (xmlhttprequest.responseJSON && xmlhttprequest.responseJSON.message) ||
-            messages[textstatus] ||
-            'unexpected problem while talking to server';
-        on.trigger(document, events.ui.userAlerts.displayMessage, {message: i18n(msg)});
+          messages[textstatus] ||
+          'unexpected problem while talking to server';
+        on.trigger(document, events.ui.userAlerts.displayMessage, {message: i18n(msg), class: 'error'});
       }
 
       if (xmlhttprequest.status === 302) {
         var redirectUrl = xmlhttprequest.getResponseHeader('Location');
         browser.redirect(redirectUrl);
-      }else if (xmlhttprequest.status === 401) {
+      } else if (xmlhttprequest.status === 401) {
         browser.redirect('/');
       }
 
-- 
cgit v1.2.3