Permalink
Commits on Aug 25, 2011
Commits on Aug 24, 2011
Commits on Aug 22, 2011
Commits on Aug 21, 2011
Commits on Aug 18, 2011
  1. lazy fetch csrf tokens in dialog immediately before a post request wh…

    …ich requires them. fixes csrf race condition in beta and dev
    lloyd committed Aug 18, 2011
  2. Merge pull request #180 from mozilla/sync_emails_extras_not_removed

    No need to JSON.stringify the emails list.
    shane-tomlinson committed Aug 18, 2011
  3. Merge pull request #178 from mozilla/forget_this_email_error

    Fixing withCSRF to correctly get the CSRF token.
    shane-tomlinson committed Aug 18, 2011
  4. Fixing withCSRF to correctly get the CSRF token.

    The request was assuming XML, which caused jQuery to blow its top since the response was not valid XML.  If we set the response to HTML, we can set the CSRF token directly from the response, without using response.body.
    
    issue #177
    shane-tomlinson committed Aug 18, 2011
  5. document CSRF changes in ChangeLog

    lloyd committed Aug 18, 2011
  6. fix manage page, now we explicitly call /wsapi/csrf so that the page …

    …itself can be cached. issue #74
    lloyd committed Aug 18, 2011
  7. move /csrf to /wsapi/csrf. add /wsapi path to cookies, as all other r…

    …equests should have aggressive cache headers. Only create a csrf token when the client asks for it. issue #173
    lloyd committed Aug 18, 2011
  8. add logging to CSRF token generation, and rather than throwing an exc…

    …eption when a mismatch is detected, log an error and return a bad request to the client (seems like a better fit than 'not authorized'). issue #173
    lloyd committed Aug 18, 2011
  9. require the user to authenticate regardless of whether they have loca…

    …l key material. closes #74
    lloyd committed Aug 18, 2011
  10. remove dead code. we moved from cookie-sessions to connect-cookie-ses…

    …sions. we shouldn't have references to the former, and the latter does not throw exceptions when invalid cookies are encountered, so we don't need exception handling there.
    lloyd committed Aug 18, 2011
  11. interface winston logging better, use the Console transport when runn…

    …ing in the dev harness rather than manually logging to console (yay for colorized output)
    lloyd committed Aug 18, 2011
  12. all tests now run against all persistence layers, warnings are output…

    … when (i.e.) mysql isn't set up and we can't test against it, but the developer should clearly understand what's going on. closes #171
    lloyd committed Aug 18, 2011