1 | /*
|
2 | * Copyright 2013 the original author or authors
|
3 | * @license MIT, see LICENSE.txt for details
|
4 | *
|
5 | * @author Scott Andrews
|
6 | */
|
7 |
|
8 | (function (define) {
|
9 | ;
|
10 |
|
11 | define(function (require) {
|
12 |
|
13 | var interceptor;
|
14 |
|
15 | interceptor = require('../interceptor');
|
16 |
|
17 | /**
|
18 | * Applies a Cross-Site Request Forgery protection header to a request
|
19 | *
|
20 | * CSRF protection helps a server verify that a request came from a
|
21 | * trusted client and not another client that was able to masquerade
|
22 | * as an authorized client. Sites that use cookie based authentication
|
23 | * are particularly vulnerable to request forgeries without extra
|
24 | * protection.
|
25 | *
|
26 | * @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
|
27 | *
|
28 | * @param {Client} [client] client to wrap
|
29 | * @param {string} [config.name='X-Csrf-Token'] name of the request
|
30 | * header, may be overridden by `request.csrfTokenName`
|
31 | * @param {string} [config.token] CSRF token, may be overridden by
|
32 | * `request.csrfToken`
|
33 | *
|
34 | * @returns {Client}
|
35 | */
|
36 | return interceptor({
|
37 | init: function (config) {
|
38 | config.name = config.name || 'X-Csrf-Token';
|
39 | return config;
|
40 | },
|
41 | request: function handleRequest(request, config) {
|
42 | var headers, name, token;
|
43 |
|
44 | headers = request.headers || (request.headers = {});
|
45 | name = request.csrfTokenName || config.name;
|
46 | token = request.csrfToken || config.token;
|
47 |
|
48 | if (token) {
|
49 | headers[name] = token;
|
50 | }
|
51 |
|
52 | return request;
|
53 | }
|
54 | });
|
55 |
|
56 | });
|
57 |
|
58 | }(
|
59 | typeof define === 'function' && define.amd ? define : function (factory) { module.exports = factory(require); }
|
60 | // Boilerplate for AMD and Node
|
61 | ));
|