Unable to set XSRF token without workaround

[djechelon]

Hi,

me and @symrad were working on a problem using Fusty on IE9 on an application that requires XSRF protection. I know that this topic has been already dealt with in #5 and we agree that headers are not the proper way to set the token.

But let me go by steps. I would like to understand if our code is broken or there is a bug in Fusty.

Originally we used the following code in Angular to initialize fusty

angular.module('pnx')
.config([ '$compileProvider', 'PnxAppConfigConstant', '$locationProvider', '$httpProvider', '$provide', 'flowFactoryProvider', AppConfig ]);

function fustyFlowFactory(opts) {
    var flow = new Flow(opts);

    if (flow.support) {
        return flow;
    }

    return new FustyFlow(opts);
}

function AppConfig($compileProvider, PnxAppConfigConstant, $locationProvider, $httpProvider, $provide, flowFactoryProvider) {

    flowFactoryProvider.factory = fustyFlowFactory;
    flowFactoryProvider.defaults = {
        permanentErrors : [ 404, 500, 501 ],
        testChunks : false,
        chunkSize : 9007199254740992,
        headers : function(file, chunk, isTest) {
            var headers = {};
            headers[PnxAppConfigConstant.getCsrf().header] = PnxAppConfigConstant.getCsrf().csrf;
            return headers;
        },
        query : function(file, chunk, isTest) {
            var postParams = {};
            postParams._csrf = PnxAppConfigConstant.getCsrf().csrf;
            return postParams;
        }
    };

    // [...] other stuff for our app
}

Explanation:

• fustyFlowFactory function instantiates Fusty Flow if Flow is not supported by the browser (hits the branch in IE9 as expected)
• fustyFactoryProvider.defaults sets both the headers (successfully used by Flow on Firefox/Chrome) and the query (supposed to be used by Fusty)

However the above code didn't work. Fusty never got the defaults. Even debugging the code at https://github.com/flowjs/fusty-flow.js/blob/master/src/fusty-flow.js#L55, it never read the defaults from the factory.

So we had to change the code and force the token into the query.

Current code

function AppConfig($compileProvider, PnxAppConfigConstant, $locationProvider, $httpProvider, $provide, flowFactoryProvider) {

    var factoryFunc = function(opts) {
        var flow = new Flow(opts);

        if (flow.support)
            return flow;

        opts.query._csrf = PnxAppConfigConstant.getCsrf().csrf;
        return new FustyFlow(opts);
    };

    flowFactoryProvider.factory = factoryFunc;
    flowFactoryProvider.defaults = {
        permanentErrors : [ 404, 500, 501 ],
        testChunks : false,
        chunkSize : 9007199254740992,
        headers : function(file, chunk, isTest) {
            var headers = {};
            headers[PnxAppConfigConstant.getCsrf().header] = PnxAppConfigConstant.getCsrf().csrf;
            return headers;
        },
        query : function(file, chunk, isTest) {
            var postParams = {};
            postParams._csrf = PnxAppConfigConstant.getCsrf().csrf;
            return postParams;
        }
    };

This time we explicitly set token in the options. Works just fine. I can see the token in the request and get to upload

I would like to open this issue as a potential bug, because IMO Fusty should read the defaults from the flow factory as Flow would do normally. I haven't dug enough in the code to confirm it's a bug, but I start from the assumption that factory settings should also work on Fusty and not only on classic Flow.

What do you think about it?

[AidasK]

It should work. Feel free to open a pull request if you can find a bug in the fusty library. Thanks

Your default parameters are actually merged here(there are defaults of several levels): https://github.com/flowjs/ng-flow/blob/master/src/provider.js#L54