Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF not support?! #82

Closed
grapemix opened this issue Aug 26, 2014 · 3 comments
Closed

CSRF not support?! #82

grapemix opened this issue Aug 26, 2014 · 3 comments

Comments

@grapemix
Copy link

I was trying to run the sample setup, most stuff is working, but not CSRF. I am using django and restangular. By default, CSRF is enable for django and restangular. Restangular or other post request will automatically pick up the CSRF token and attached to every post request for my current setup. However, ng-flow is not the case. CSRF(http://en.wikipedia.org/wiki/Cross-site_request_forgery) is important, website without CSRF is un-secure. ng-flow user will suffer if ng-flow is not supporting CSRF. Currently, one of my site's api entry is disabling CSRF just for ng-flow. Will you support CSRF in the future? Thanks.
Here is my setup:
angular.module('app', [
'restangular',
])
.config( function(
$httpProvider
){
$httpProvider.defaults.xsrfCookieName = 'csrftoken';
$httpProvider.defaults.xsrfHeaderName = 'X-CSRFToken';
});
Let me know if you need more information. Thx.
@AidasK
Copy link
Member

AidasK commented Aug 31, 2014

Flow.js does not use $http service, because of this you have to set csrf token manually to each request.
Flow.js allows to to set custom headers and parameters for each request.

https://github.com/flowjs/flow.js#configuration

Set function to a headers option:

{ 
  headers: function (file, chunk, isTest) {
    return {
        'X-CSRFToken': cookie.get("csrftoken")// call func for getting a cookie
    }
  }
}

Hope this solves your issue

@grapemix
Copy link
Author

Sorry to reply so late. If I understand correctly, the headers is being assigned to the flowFactoryProvider which lived in the Module.cofig block. However, I cannot get my cookie in the config block because the config block only able to inject provider, but not instance. And the cookie provider is usually being placed in the run block because of the nature of the cookie provider. So I guess no 1 line solution in here.

In my case, I switch to use CORS, in the case, ng-flow and django works perfectly. Thanks for your follow up.

@AidasK
Copy link
Member

AidasK commented Sep 19, 2014

No, you can pass headers in any place you want (for ex.: flow-init).

It seems my flow factory logic is too simple here:
https://github.com/flowjs/ng-flow/blob/master/src/provider.js#L24

Instead of this, we could pass service name, which creates flow instance and then needed, user should override existing service or create new one.

@AidasK AidasK mentioned this issue Nov 3, 2014
Open
@pjfreeze pjfreeze mentioned this issue Jan 23, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grapemix @AidasK