Squash session and profile; auth and account
These resources are one resource on the backend. The pattern of preserving object identity for the session response is unnecessary. The identity module now listens for events on the root scope instead of watching the session. The auth controller publishes the session change directly and the auth directive is completely removed. Timeout is handled in the controller. Include the account and auth forms via a macro in the blocks template so that all the dialogs can be overridden together and get rid of the ``show-account`` directive.

These resources are one resource on the backend. The pattern of preserving object identity for the session response is unnecessary. The identity module now listens for events on the root scope instead of watching the session. The auth controller publishes the session change directly and the auth directive is completely removed. Timeout is handled in the controller. Include the account and auth forms via a macro in the blocks template so that all the dialogs can be overridden together and get rid of the ``show-account`` directive.
Decouple identity and authentication
Pull the identity service out of the auth module so that it can be used separately. Wrap the service in a provider with properties that applications can configure to adapt to different authentication environments. These properties provide a way to configure injected functions that the identity service can invoke in order to fulfill requests from client applications for authorization grants without tying the identity service itself to particular implementations of sessions or authentication.
hypothesis
diff --git a/assets.yaml b/assets.yaml
@@ -266,7 +266,6 @@ app_js:
          contents:
            - h:static/scripts/app.coffee
            - h:static/scripts/controllers.coffee
-            - h:static/scripts/controllers/account-management.coffee
            - h:static/scripts/flash.coffee
            - h:static/scripts/filters.coffee
            - h:static/scripts/directives.coffee
@@ -277,6 +276,7 @@ app_js:
            - h:static/scripts/directives/thread.coffee
            - h:static/scripts/directives/thread-filter.coffee
            - h:static/scripts/directives/annotation.coffee
+            - h:static/scripts/identity.coffee
            - h:static/scripts/services.coffee
            - h:static/scripts/helpers/form-helpers.coffee
            - h:static/scripts/helpers/document-helpers.coffee
diff --git a/h/auth/local/views.py b/h/auth/local/views.py
@@ -65,11 +65,12 @@ def pop_flash(request):


 def model(request):
+    csrf_token = request.session.get_csrf_token()
    session = {k: v for k, v in request.session.items() if k[0] != '_'}
-    session['csrf_token'] = request.session.get_csrf_token()  # bw compat
-    session['csrf'] = request.session.get_csrf_token()
-    if request.cookies.get('XSRF-TOKEN') != session['csrf']:
-        request.response.set_cookie('XSRF-TOKEN', session['csrf'])
+    session['csrf_token'] = csrf_token  # bw compat
+    session['certificate'] = csrf_token
+    if request.cookies.get('XSRF-TOKEN') != csrf_token:
+        request.response.set_cookie('XSRF-TOKEN', csrf_token)
    return session


diff --git a/h/static/scripts/app.coffee b/h/static/scripts/app.coffee
@@ -3,10 +3,8 @@ imports = [
  'ngRoute'
  'h.auth'
  'h.controllers'
-  'h.controllers.AccountManagement'
  'h.directives'
  'h.filters'
-  'h.identity'
  'h.streamsearch'
  'h.helpers.formHelpers'
 ]
diff --git a/...pts/controllers/account-management.coffee → h/static/scripts/auth/account.coffee b/...pts/controllers/account-management.coffee → h/static/scripts/auth/account.coffee
@@ -1,9 +1,10 @@
-class AccountManagement
-  @inject = ['$scope', '$rootScope', '$filter', 'flash', 'profile',
-             'identity', 'formHelpers']
+imports = [
+  'h.session'
+]

-  constructor: ($scope, $rootScope, $filter, flash, profile,
-                identity, formHelpers) ->
+class AccountController
+  @inject = ['$scope', '$filter', 'flash', 'session', 'identity', 'formHelpers']
+  constructor: ($scope, $filter, flash, session, identity, formHelpers) ->
    persona_filter = $filter('persona')

    onSuccess = (form, response) ->
@@ -36,31 +37,28 @@ class AccountManagement
    $scope.changePassword = {}
    $scope.deleteAccount = {}

-    # Initial form state.
-    $scope.sheet = false
-
    $scope.delete = (form) ->
      # If the password is correct, the account is deleted.
      # The extension is then removed from the page.
      # Confirmation of success is given.
      return unless form.$valid
-      username = persona_filter $scope.session.userid
+      username = persona_filter $scope.persona
      packet =
        username: username
        pwd: form.pwd.$modelValue

      successHandler = angular.bind(null, onDelete, form)
      errorHandler   = angular.bind(null, onError, form)

-      promise = profile.disable_user(packet)
+      promise = session.disable_user(packet)
      promise.$promise.then(successHandler, errorHandler)

    $scope.submit = (form) ->
      # In the frontend change_email and change_password are two different
      # forms. However, in the backend it is just one: edit_profile
      return unless form.$valid

-      username = persona_filter $scope.session.userid
+      username = persona_filter $scope.persona
      packet =
        username: username
        pwd: form.pwd.$modelValue
@@ -70,14 +68,9 @@ class AccountManagement
      errorHandler   = angular.bind(null, onError, form)

      $scope.$broadcast 'formState', form.$name, 'loading'  # Update status btn
-      promise = profile.edit_profile(packet)
+      promise = session.edit_profile(packet)
      promise.$promise.then(successHandler, errorHandler)

-    $rootScope.$on 'nav:account', ->
-      $scope.$apply -> $scope.sheet = true
-
-    $rootScope.$on 'logout', ->
-      $scope.sheet = false

-angular.module('h.controllers.AccountManagement', [])
-.controller('AccountManagement', AccountManagement)
+angular.module('h.account', imports)
+.controller('AccountController', AccountController)
diff --git a/h/static/scripts/auth/auth.coffee b/h/static/scripts/auth/auth.coffee
@@ -1,17 +1,19 @@
 imports = [
+  'h.identity'
  'h.session'
 ]


 class AuthController
-  this.$inject = ['$scope', '$timeout', 'session', 'formHelpers']
-  constructor:   ( $scope,   $timeout,   session,   formHelpers ) ->
+  this.$inject = ['$scope', '$timeout', 'flash', 'session', 'formHelpers']
+  constructor:   ( $scope,   $timeout,   flash,   session,   formHelpers ) ->
    timeout = null

-    success = ->
-      $scope.tab = if $scope.tab is 'forgot' then 'activate' else null
+    success = (data) ->
+      if $scope.tab is 'forgot' then $scope.tab = 'activate'
+      if data.userid then $scope.$emit 'session', data
      $scope.model = null
-      $scope.$broadcast 'success'
+      $scope.form?.$setPristine()

    failure = (form, response) ->
      {errors, reason} = response.data
@@ -23,18 +25,13 @@ class AuthController

      return unless form.$valid

-      data = {}
-      method = '$' + form.$name
-
-      angular.copy $scope.model, session
-      session.$promise = session[method] success,
+      $scope.$broadcast 'formState', form.$name, 'loading'
+      session[form.$name] $scope.model, success,
        angular.bind(this, failure, form)
-      session.$resolved = false
+      .$promise.finally -> $scope.$broadcast 'formState', form.$name, ''

-      # Update status btn
-      $scope.$broadcast 'formState', form.$name, 'loading'
-      session.$promise.finally ->
-        $scope.$broadcast 'formState', form.$name, ''
+    $scope.model = null
+    $scope.tab = 'login'

    $scope.$on '$destroy', ->
      if timeout
@@ -48,57 +45,35 @@ class AuthController
      # If the model is not empty, start the timeout
      if value and not angular.equals(value, {})
        timeout = $timeout ->
+          $scope.form?.$setPristine()
          $scope.model = null
-          $scope.$broadcast 'timeout'
+          flash 'info',
+            'For your security, the forms have been reset due to inactivity.'
        , 300000


-authDirective = ['$timeout', ($timeout) ->
-  controller: 'AuthController'
-  link: (scope, elem, attrs, [auth, form]) ->
-    elem.on 'submit', (event) ->
-      scope.$apply ->
-        $target = angular.element event.target
-        $form = $target.controller('form')
-        auth.submit($form)
-
-    scope.model = {}
-
-    scope.$on 'authorize', ->
-      scope.tab = 'login'
-
-    scope.$on 'error', (event) ->
-      scope.onError()
-
-    scope.$on 'success', (event) ->
-      form.$setPristine()
-      scope.onSuccess()
-
-    scope.$on 'timeout', (event) ->
-      form.$setPristine()
-      scope.onTimeout()
-
-    scope.$watch 'tab', (name) ->
-      $timeout ->
-        elem
-          .find('form')
-          .filter(-> this.name is name)
-          .find('input')
-          .filter(-> this.type isnt 'hidden')
-          .first()
-          .focus()
-  require: ['auth', 'form']
-  restrict: 'C'
-  scope:
-    onError: '&'
-    onSuccess: '&'
-    onTimeout: '&'
-    session: '='
-    tab: '=ngModel'
-  templateUrl: 'auth.html'
+configure = ['$provide', 'identityProvider', ($provide, identityProvider) ->
+  identityProvider.checkAuthorization = [
+    'session',
+    (session) ->
+      session.load().$promise
+  ]
+
+  identityProvider.forgetAuthorization = [
+    'session',
+    (session) ->
+      session.logout({}).$promise
+  ]
+
+  identityProvider.requestAuthorization = [
+    '$q', '$rootScope',
+    ($q,   $rootScope) ->
+      deferred = $q.defer()
+      $rootScope.$on 'session', (event, data) -> deferred.resolve data
+      deferred.promise
+  ]
 ]


-angular.module('h.auth', imports)
+angular.module('h.auth', imports, configure)
 .controller('AuthController', AuthController)
-.directive('auth', authDirective)
diff --git a/h/static/scripts/auth/identity.coffee b/h/static/scripts/auth/identity.coffee
diff --git a/h/static/scripts/auth/session.coffee b/h/static/scripts/auth/session.coffee
@@ -12,6 +12,7 @@ ACTION = [
  'forgot'
  'activate'
  'edit_profile'
+  'disable_user'
 ]

 ACTION_OPTION =
@@ -80,7 +81,7 @@ class SessionProvider

        # Capture the cross site request forgery token without cookies.
        # If cookies are blocked this is our only way to get it.
-        csrfToken = model.csrf
+        csrfToken = model.certificate

        # Return the model
        model
@@ -90,37 +91,9 @@ class SessionProvider
        actions[name].transformResponse = process

      endpoint = documentHelpers.absoluteURI('/app')
-      $resource(endpoint, {}, actions).load()
+      $resource(endpoint, {}, actions)
  ]

-# Function providing a server-side user profile resource.
-#
-# This function provides an angular $resource factory
-# for manipulating server-side account-profile settings. It defines the
-# actions (such as 'login', 'register') as REST-ish actions
-profileProvider = [
-  '$q', '$resource', 'documentHelpers',
-  ($q,   $resource,   documentHelpers) ->
-    defaults =
-      email: ""
-      password: ""
-
-    actions =
-      edit_profile:
-        method: 'POST'
-        params:
-          __formid__: "edit_profile"
-        withCredentials: true
-      disable_user:
-        method: 'POST'
-        params:
-          __formid__: "disable_user"
-        withCredentials: true
-
-    endpoint = documentHelpers.absoluteURI('/app')
-    $resource(endpoint, {}, actions)
-]
-

 configure = ['$httpProvider', ($httpProvider) ->
  defaults = $httpProvider.defaults
@@ -143,4 +116,3 @@ configure = ['$httpProvider', ($httpProvider) ->

 angular.module('h.session', imports, configure)
 .provider('session', SessionProvider)
-.factory('profile', profileProvider)