Rotate CSRF token and get authApiUrl from settings

misago/conf/middleware.py

@@ -4,14 +4,8 @@ from misago.conf.gateway import settings, db_settings  # noqa
 
 class PreloadConfigMiddleware(object):
     def process_request(self, request):
-        request.preloaded_ember_data.update({
-            'misagoSettings': db_settings.get_public_settings(),
-
-            'staticUrl': settings.STATIC_URL,
-            'mediaUrl': settings.MEDIA_URL,
-
-            'csrfCookieName': settings.CSRF_COOKIE_NAME,
-
+        preloaded_settings = db_settings.get_public_settings()
+        preloaded_settings.update({
             'authApiUrl': reverse(settings.MISAGO_AUTH_API_URL),
 
             'loginRedirectUrl': reverse(settings.LOGIN_REDIRECT_URL),
@@ -19,3 +13,12 @@ class PreloadConfigMiddleware(object):
 
             'logoutUrl': reverse(settings.LOGOUT_URL),
         })
+
+        request.preloaded_ember_data.update({
+            'misagoSettings': preloaded_settings,
+
+            'staticUrl': settings.STATIC_URL,
+            'mediaUrl': settings.MEDIA_URL,
+
+            'csrfCookieName': settings.CSRF_COOKIE_NAME,
+        })

misago/emberapp/app/controllers/login-modal.js

@@ -1,6 +1,6 @@
 import Ember from 'ember';
-import MisagoPreloadStore from 'misago/utils/preloadstore';
 import rpc from 'misago/utils/rpc';
+import getCsrfToken from 'misago/utils/csrf';
 
 export default Ember.Controller.extend({
   modal: null,
@@ -53,7 +53,7 @@ export default Ember.Controller.extend({
 
   authenticate: function(credentials) {
     var self = this;
-    rpc(MisagoPreloadStore.get('authApiUrl'), credentials).then(function() {
+    rpc(this.get('settings.authApiUrl'), credentials).then(function() {
       self.logIn(credentials);
     }, function(rejection) {
       self.authError(rejection);
@@ -63,6 +63,13 @@ export default Ember.Controller.extend({
 
   logIn: function(credentials) {
     var $form = Ember.$('#hidden-login-form');
+
+    // we need to refresh CSRF token because previous api call changed it
+    $form.find('input[name=csrfmiddlewaretoken]').val(getCsrfToken());
+
+    // fill out form with user credentials and submit it, this will tell
+    // misago to redirect user back to right page, and will trigger browser's
+    // key ring feature
     $form.find('input[name=redirect_to]').val(window.location.href);
     $form.find('input[name=username]').val(credentials.username);
     $form.find('input[name=password]').val(credentials.password);

misago/emberapp/app/initializers/dev-csrf-tokens.js

@@ -4,7 +4,7 @@ import ENV from '../config/environment';
 
 export function initialize() {
   if (ENV.environment !== 'production') {
-    // set CSRF tokens on preloaded forms
+    // set initial CSRF tokens on preloaded forms
     Ember.$('input[name=csrfmiddlewaretoken]').val(getCsrfToken());
   }
 }