Skip to content

Commit

Permalink
fix(request): CHECKOUT-4835 Stop automatically attaching CSRF token w…
Browse files Browse the repository at this point in the history 
…hen requesting assets
  • Loading branch information
@davidchin
davidchin committed Apr 21, 2020
1 parent db843cc commit b24d0cf
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 4 deletions.
17 changes: 16 additions & 1 deletion src/request-sender.spec.ts
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
import * as cookie from 'js-cookie';

import { getErrorResponse, getResponse, getTimeoutResponse } from './responses.mock';

import PayloadTransformer from './payload-transformer';
import RequestFactory from './request-factory';
import RequestSender from './request-sender';
import { getErrorResponse, getResponse, getTimeoutResponse } from './responses.mock';

describe('RequestSender', () => {
let payloadTransformer: PayloadTransformer;
Expand Down Expand Up @@ -125,6 +126,20 @@ describe('RequestSender', () => {
}));
});

it('does not create a HTTP request with CSRF token for asset requests even if it exists', () => {
url = 'http://foobar/script.js?time=123';

jest.spyOn(cookie, 'get').mockImplementation(key => key === 'XSRF-TOKEN' ? 'abc' : undefined);

requestSender.sendRequest(url);

expect(requestFactory.createRequest).toHaveBeenCalledWith(url, expect.objectContaining({
headers: {
Accept: expect.any(String),
},
}));
});

it('sends the request with data', () => {
const options = {
body: { message: 'foobar' },
Expand Down
14 changes: 11 additions & 3 deletions src/request-sender.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ export default class RequestSender {
}

sendRequest<T = any>(url: string, options?: RequestOptions): Promise<Response<T>> {
const requestOptions = this._mergeDefaultOptions(options);
const requestOptions = this._mergeDefaultOptions(url, options);
const cachedRequest = this._getCachedRequest<T>(url, requestOptions);

if (cachedRequest) {
Expand Down Expand Up @@ -82,7 +82,7 @@ export default class RequestSender {
return this.sendRequest(url, { ...options, method: 'DELETE' });
}

private _mergeDefaultOptions(options?: RequestOptions): RequestOptions {
private _mergeDefaultOptions(url: string, options?: RequestOptions): RequestOptions {
const defaultOptions: Partial<RequestOptions> = {
credentials: true,
encodeParams: true,
Expand All @@ -94,7 +94,7 @@ export default class RequestSender {

const csrfToken = this._cookie.get('XSRF-TOKEN');

if (csrfToken && defaultOptions.headers) {
if (csrfToken && defaultOptions.headers && !this._isAssetRequest(url, options)) {
defaultOptions.headers['X-XSRF-TOKEN'] = csrfToken;
}

Expand Down Expand Up @@ -132,4 +132,12 @@ export default class RequestSender {
this._cache.write(url, options, response);
}
}

private _isAssetRequest(url: string, options?: RequestOptions): boolean {
if (options && options.method && options.method.toUpperCase() !== 'GET') {
return false;
}

return /\.(png|gif|jpe?g|css|js|json|svg|html?)$/.test(url.split('?')[0]);
}
}

0 comments on commit b24d0cf

Please sign in to comment.