From patchwork Fri Aug 13 05:31:22 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Raxel Gutierrez <raxel@google.com>
X-Patchwork-Id: 1516542
Return-Path: 
 <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org
 (client-ip=112.213.38.117; helo=lists.ozlabs.org;
 envelope-from=patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=google.com header.i=@google.com header.a=rsa-sha256
 header.s=20161025 header.b=Ci/srAIp;
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GmBzQ6nBxz9sRR
	for <incoming@patchwork.ozlabs.org>; Fri, 13 Aug 2021 15:33:06 +1000 (AEST)
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GmBzQ5BMlz3cPK
	for <incoming@patchwork.ozlabs.org>; Fri, 13 Aug 2021 15:33:06 +1000 (AEST)
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=google.com header.i=@google.com header.a=rsa-sha256
 header.s=20161025 header.b=Ci/srAIp;
	dkim-atps=neutral
X-Original-To: patchwork@lists.ozlabs.org
Delivered-To: patchwork@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=flex--raxel.bounces.google.com
 (client-ip=2607:f8b0:4864:20::f49; helo=mail-qv1-xf49.google.com;
 envelope-from=37amwyqukcvsk3q7e9hh9e7.5hfi3m5aphkdeblml.hse34l.hk9@flex--raxel.bounces.google.com;
 receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key;
 unprotected) header.d=google.com header.i=@google.com header.a=rsa-sha256
 header.s=20161025 header.b=Ci/srAIp; dkim-atps=neutral
Received: from mail-qv1-xf49.google.com (mail-qv1-xf49.google.com
 [IPv6:2607:f8b0:4864:20::f49])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GmByl4R9wz302N
 for <patchwork@lists.ozlabs.org>; Fri, 13 Aug 2021 15:32:31 +1000 (AEST)
Received: by mail-qv1-xf49.google.com with SMTP id
 ay14-20020a056214048eb0290357469934easo6091170qvb.8
 for <patchwork@lists.ozlabs.org>; Thu, 12 Aug 2021 22:32:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=20161025;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc:content-transfer-encoding;
 bh=ci7cVUPT4KAfb1QAA+W7XCfYygQ7Nj7AKmYkSRtgJvc=;
 b=Ci/srAIpT5k/xUOm7vn684GkXM77km52N7KAL1+6WCXxGrUX8yf1ADv4qKR0IHfEpL
 gM+IfjzW8LeLf3s/yXLsxv7LrnOk2xiqYe9LosWeSNTgEbpNPSR2RZRYRfxBSLhbJx15
 M7VQwz866gn8o0pWgvnggBMl5MKVyp4VjbzSopOnXSvrvEM9dImPqeUGc1lCPwZiyg0c
 n40neRqUTRUtWY5gjeA+qO5e1Em0bgeaosYtpybI8lN2b5ZQ7tAf89PlMuRBYD6tP1iL
 ZsD7cS1/RLOIxMhWNf1GQKg6/geftE11t6Zr7Ah3MMgepyz7un/JBL0Yq9QrHK1/n200
 akVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc:content-transfer-encoding;
 bh=ci7cVUPT4KAfb1QAA+W7XCfYygQ7Nj7AKmYkSRtgJvc=;
 b=ZO3gztms7PBvEtaRZSPUAZH3FRfPRgnit2RKb5W/JypOJn/NI+mNhW7aGQwQKVrFZm
 S+btNj1uivbyxRPjnOJNujIDMRnU74MjXvkYO6tX/Xv4hnBOxCrvKo1xDIdxrFIi/cx1
 Kx0fWk8hT/TGpKtTvZjHuRci5XBfsx9MWBuUBJI/36mTXD7CZihXw8KE6WL4voEHCz+U
 GYKuncaJlq+oWqWgI4mYk0cz3P1a6gohCWMkV5lRvNa5HJPnaKxW/fX1oMbHL/8vJieM
 TnPgv6NHhGGqJkGl8F4X1lVaxw4XqxLwjku6G0php7/CmJBvlsjwq0/ARxmnfpJTpj5z
 r4vw==
X-Gm-Message-State: AOAM533lFRo2pfOPaJUWUZIXFWeIhOkLK1BWX7AlRfqI+5VCfUihJgWz
 zfwLDIYHsGO89qZqhIm0bneXtxy6MY6o5i2vUBz1XAOeZOgBgCVLS6WuNr3nMAgTktJMkrOyv1X
 0HUklPaZ6sLVgn0Raw72qJ403wf/qU1zO/TMhWWooqjtoPRYhVTundWLNZ8RNZ2N8
X-Google-Smtp-Source: 
 ABdhPJwfI9M3bmECkoFMx4S2FYmUQdl1AoUzTjsLByU8W4RAcFo5AfQnHeNduFk3+2ugMuaiX8q1FfU1gQ==
X-Received: from raxel-pw.c.googlers.com
 ([fda3:e722:ac3:cc00:14:4d90:c0a8:2fda])
 (user=raxel job=sendgmr) by 2002:a0c:e7cd:: with SMTP id
 c13mr1020079qvo.37.1628832748841;
 Thu, 12 Aug 2021 22:32:28 -0700 (PDT)
Date: Fri, 13 Aug 2021 05:31:22 +0000
In-Reply-To: <20210813053127.2160595-1-raxel@google.com>
Message-Id: <20210813053127.2160595-6-raxel@google.com>
Mime-Version: 1.0
References: <20210813053127.2160595-1-raxel@google.com>
X-Mailer: git-send-email 2.33.0.rc1.237.g0d66db33f3-goog
Subject: [PATCH v3 05/10] static: add JS Cookie library to get csrftoken for
 client-side requests
From: Raxel Gutierrez <raxel@google.com>
To: patchwork@lists.ozlabs.org
X-BeenThere: patchwork@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Patchwork development <patchwork.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/patchwork>,
 <mailto:patchwork-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/patchwork/>
List-Post: <mailto:patchwork@lists.ozlabs.org>
List-Help: <mailto:patchwork-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/patchwork>,
 <mailto:patchwork-request@lists.ozlabs.org?subject=subscribe>
Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Patchwork"
 <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Currently in Patchwork, requests are made only through older methods via
form submissions, which means the UI is rendered strictly server-side.
This lags behind more modern and versatile approaches that use
JavaScript to send requests and dynamically update the UI based on the
respective response.

In order to make REST API requests on the client-side secure from CSRF
attacks, add the JS Cookie library which allows the CSRF token to be
passed in the request header. A following patch that introduces the
`rest.js` module will make use of the JS Cookie library in this patch.

The library is a recommendation from Django docs [1]. The files for the
library can be downloaded in the releases page of the GitHub [2].

[1] https://docs.djangoproject.com/en/3.2/ref/csrf/#ajax
[2] https://github.com/js-cookie/js-cookie/releases

Signed-off-by: Raxel Gutierrez <raxel@google.com>
---
 htdocs/README.rst          | 9 +++++++++
 htdocs/js/js.cookie.min.js | 2 ++
 templates/base.html        | 1 +
 3 files changed, 12 insertions(+)
 create mode 100644 htdocs/js/js.cookie.min.js

diff --git a/htdocs/README.rst b/htdocs/README.rst
index 62f15c2..128dc7c 100644
--- a/htdocs/README.rst
+++ b/htdocs/README.rst
@@ -122,6 +122,15 @@ js
   :GitHub: jQuery plug-in to drag and drop rows in HTML tables
   :Version: ???
 
+``js.cookie.min.js``
+
+  Library used to handle cookies.
+
+  This is used to get the ``csrftoken`` cookie for AJAX requests in JavaScript.
+
+  :GitHub: https://github.com/js-cookie/js-cookie/
+  :Version: 3.0.0
+
 ``selectize.min.js``
 
   Selectize is the hybrid of a ``textbox`` and ``<select>`` box. It's jQuery
diff --git a/htdocs/js/js.cookie.min.js b/htdocs/js/js.cookie.min.js
new file mode 100644
index 0000000..63fc3ef
--- /dev/null
+++ b/htdocs/js/js.cookie.min.js
@@ -0,0 +1,2 @@
+/*! js-cookie v3.0.0 | MIT */
+!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e=e||self,function(){var n=e.Cookies,r=e.Cookies=t();r.noConflict=function(){return e.Cookies=n,r}}())}(this,(function(){"use strict";function e(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var r in n)e[r]=n[r]}return e}var t={read:function(e){return e.replace(/(%[\dA-F]{2})+/gi,decodeURIComponent)},write:function(e){return encodeURIComponent(e).replace(/%(2[346BF]|3[AC-F]|40|5[BDE]|60|7[BCD])/g,decodeURIComponent)}};return function n(r,o){function i(t,n,i){if("undefined"!=typeof document){"number"==typeof(i=e({},o,i)).expires&&(i.expires=new Date(Date.now()+864e5*i.expires)),i.expires&&(i.expires=i.expires.toUTCString()),t=encodeURIComponent(t).replace(/%(2[346B]|5E|60|7C)/g,decodeURIComponent).replace(/[()]/g,escape),n=r.write(n,t);var c="";for(var u in i)i[u]&&(c+="; "+u,!0!==i[u]&&(c+="="+i[u].split(";")[0]));return document.coo
 kie=t+"="+n+c}}return Object.create({set:i,get:function(e){if("undefined"!=typeof document&&(!arguments.length||e)){for(var n=document.cookie?document.cookie.split("; "):[],o={},i=0;i<n.length;i++){var c=n[i].split("="),u=c.slice(1).join("=");'"'===u[0]&&(u=u.slice(1,-1));try{var f=t.read(c[0]);if(o[f]=r.read(u,f),e===f)break}catch(e){}}return e?o[e]:o}},remove:function(t,n){i(t,"",e({},n,{expires:-1}))},withAttributes:function(t){return n(this.converter,e({},this.attributes,t))},withConverter:function(t){return n(e({},this.converter,t),this.attributes)}},{attributes:{value:Object.freeze(o)},converter:{value:Object.freeze(r)}})}(t,{path:"/"})}));
diff --git a/templates/base.html b/templates/base.html
index a95a11b..e57e2d5 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -21,6 +21,7 @@
   <script src="{% static "js/bootstrap.min.js" %}"></script>
   <script src="{% static "js/selectize.min.js" %}"></script>
   <script src="{% static "js/clipboard.min.js" %}"></script>
+  <script src="{% static "js/js.cookie.min.js" %}"></script>
   <script>
    $(document).ready(function() {
        new Clipboard(document.querySelectorAll('button.btn-copy'));