1
1
mirror of https://github.com/aelve/guide.git synced 2024-12-23 12:52:31 +03:00
guide/guidejs
2017-03-31 11:15:11 +02:00
..
src Fix the previous commit (URL polyfill) 2017-03-17 15:43:48 -05:00
.babelrc Implement client-side JS build, automatic CSRF protection. 2017-03-17 15:02:51 -05:00
package.json Add missing rollup dependency 2017-03-31 11:15:11 +02:00
README.md Add npm install to buildjs.sh, describe changing in README 2017-03-18 15:39:51 -05:00
rollup.config.js Implement client-side JS build, automatic CSRF protection. 2017-03-17 15:02:51 -05:00
yarn.lock Implement client-side JS build, automatic CSRF protection. 2017-03-17 15:02:51 -05:00

Developing this module

To work on this module, it's necessary to use either yarn or npm. Yarn is an alternative to npm by Facebook, but they perform the same function here.

When run in the parent directory, stack build will run a build script in the root to install any dependencies and build the output bundle.

Motivation for this module

The situation for handling client-side CSRF token injection was unsatisfying, to say the least. Without performing significant surgery on the types and method the Guide uses to generate JavaScript functions, our best option is to modify the jQuery $.ajax() or $.post() functions.

There are a grand total of four packages on npmjs.com that show up for "jquery csrf". The most promising is jquery-csrf-token. It has two problems, one technical and one contextual.

  1. It does not filter based on the URL, it is a shotgun. Not knowing a lot about how Spock generates and validates CSRF tokens or how that could change, we should defensively program around the worst case: CSRF tokens are valid for a really long time beyond a user's session, and leaking one could be bad.

  2. It gets ~40 downloads a month. Let's not let ourselves be left-paded.

So we will include the source (it's relatively short) and add the modifications we need, and also provide a nice path forward for building a single-source-of-truth for client JavaScript for the project. Since jquery-csrf-token uses Rollup, we will too.

We will also use URL parsing to make sure that we only send the CSRF token to the a relative URI. Rollup will come in handy here because IE11 (ugh) and Opera Mini (what?) do not support the URL API and so we'll polyfill it.

Other features may be added as needed and will be documented here.