| 1 | /*
|
| 2 | * Copyright 2013 the original author or authors
|
| 3 | * @license MIT, see LICENSE.txt for details
|
| 4 | *
|
| 5 | * @author Scott Andrews
|
| 6 | */
|
| 7 |
|
| 8 | (function (define) {
|
| 9 | ;
|
| 10 |
|
| 11 | define(function (require) {
|
| 12 |
|
| 13 | var interceptor;
|
| 14 |
|
| 15 | interceptor = require('../interceptor');
|
| 16 |
|
| 17 | /**
|
| 18 | * Applies a Cross-Site Request Forgery protection header to a request
|
| 19 | *
|
| 20 | * CSRF protection helps a server verify that a request came from a
|
| 21 | * trusted client and not another client that was able to masquerade
|
| 22 | * as an authorized client. Sites that use cookie based authentication
|
| 23 | * are particularly vulnerable to request forgeries without extra
|
| 24 | * protection.
|
| 25 | *
|
| 26 | * @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
|
| 27 | *
|
| 28 | * @param {Client} [client] client to wrap
|
| 29 | * @param {string} [config.name='X-Csrf-Token'] name of the request
|
| 30 | * header, may be overridden by `request.csrfTokenName`
|
| 31 | * @param {string} [config.token] CSRF token, may be overridden by
|
| 32 | * `request.csrfToken`
|
| 33 | *
|
| 34 | * @returns {Client}
|
| 35 | */
|
| 36 | return interceptor({
|
| 37 | init: function (config) {
|
| 38 | config.name = config.name || 'X-Csrf-Token';
|
| 39 | return config;
|
| 40 | },
|
| 41 | request: function handleRequest(request, config) {
|
| 42 | var headers, name, token;
|
| 43 |
|
| 44 | headers = request.headers || (request.headers = {});
|
| 45 | name = request.csrfTokenName || config.name;
|
| 46 | token = request.csrfToken || config.token;
|
| 47 |
|
| 48 | if (token) {
|
| 49 | headers[name] = token;
|
| 50 | }
|
| 51 |
|
| 52 | return request;
|
| 53 | }
|
| 54 | });
|
| 55 |
|
| 56 | });
|
| 57 |
|
| 58 | }(
|
| 59 | typeof define === 'function' && define.amd ? define : function (factory) { module.exports = factory(require); }
|
| 60 | // Boilerplate for AMD and Node
|
| 61 | ));
|