Added csurf support, tokens api and updated client-side.

Author: Dan Wahlin

.vscode/settings.json

@@ -4,4 +4,6 @@
       "**/app/**/*.js.map": true,
       "**/app/**/*.js": true
     }
+,
+"typescript.tsdk": "./node_modules/typescript/lib"
 }

controllers/api/customers/customers.controller.js

@@ -1,6 +1,6 @@
-var customersRepo = require('../../../lib/customersRepository'),
-    statesRepo = require('../../../lib/statesRepository'),
-    util = require('util');
+const customersRepo = require('../../../lib/customersRepository'),
+      statesRepo = require('../../../lib/statesRepository'),
+      util = require('util');
 
 class CustomersController {
 
@@ -65,12 +65,12 @@ class CustomersController {
 
     insertCustomer(req, res) {
         console.log('*** insertCustomer');
-        statesRepo.getState(req.body.stateId, function (err, state) {
+        statesRepo.getState(req.body.stateId, (err, state) => {
             if (err) {
                 console.log('*** statesRepo.getState error: ' + util.inspect(err));
                 res.json({ 'status': false });
             } else {
-                customersRepo.insertCustomer(req.body, state, function (err) {
+                customersRepo.insertCustomer(req.body, state, (err) => {
                     if (err) {
                         console.log('*** customersRepo.insertCustomer error: ' + util.inspect(err));
                         res.json(false);
@@ -92,12 +92,12 @@ class CustomersController {
             throw new Error('Customer and associated stateId required');
         }
 
-        statesRepo.getState(req.body.stateId, function (err, state) {
+        statesRepo.getState(req.body.stateId, (err, state) => {
             if (err) {
                 console.log('*** statesRepo.getState error: ' + util.inspect(err));
                 res.json({ 'status': false });
             } else {
-                customersRepo.updateCustomer(req.params.id, req.body, state, function (err) {
+                customersRepo.updateCustomer(req.params.id, req.body, state, (err) => {
                     if (err) {
                         console.log('*** updateCustomer error: ' + util.inspect(err));
                         res.json({ 'status': false });
@@ -113,7 +113,7 @@ class CustomersController {
     deleteCustomer(req, res) {
         console.log('*** deleteCustomer');
 
-        customersRepo.deleteCustomer(req.params.id, function (err) {
+        customersRepo.deleteCustomer(req.params.id, (err) => {
             if (err) {
                 console.log('*** deleteCustomer error: ' + util.inspect(err));
                 res.json({ 'status': false });

controllers/api/states/states.controller.js

@@ -1,5 +1,5 @@
-var statesRepo  = require('../../../lib/statesRepository'),
-    util        = require('util');
+const statesRepo  = require('../../../lib/statesRepository'),
+      util        = require('util');
 
 class StatesController {
 

controllers/api/tokens/tokens.controller.js

@@ -0,0 +1,16 @@
+const  util = require('util');
+
+class TokensController {
+
+    constructor(router) {
+        router.get('/csrf', this.getCsrfToken.bind(this));
+    }
+
+    getCsrfToken(req, res) {
+        console.log('*** getCsrfToken');
+        const csrfToken = res.locals._csrf;
+        res.json({ csrfToken: csrfToken });
+    }
+}
+
+module.exports = TokensController;

package.json

@@ -43,7 +43,7 @@
     "devDependencies": {
         "concurrently": "^3.1.0",
         "lite-server": "^2.2.2",
-        "typescript": "2.0.3",
+        "typescript": "2.0.8",
         "del": "^2.2.2",
         "gulp": "^3.9.1",
         "gulp-concat": "^2.6.0",

public/app/core/data.service.ts

@@ -1,5 +1,5 @@
 import { Injectable } from '@angular/core';
-import { Http, Response } from '@angular/http';
+import { Http, Headers, Response, RequestOptions } from '@angular/http';
 
 //Grab everything with import 'rxjs/Rx';
 import { Observable } from 'rxjs/Observable';
@@ -13,8 +13,21 @@ import { ICustomer, IOrder, IState } from '../shared/interfaces';
 export class DataService {
 
     baseUrl: string = '/api/customers';
+    csrfToken: string = null;
 
-    constructor(private http: Http) { }
+    constructor(private http: Http) { 
+        this.getCsrfToken();
+    }
+
+    getCsrfToken() {
+        return this.http.get('/api/tokens/csrf')
+                   .map((res: Response) => res.json().csrfToken)
+                   .catch(this.handleError)
+                   .subscribe((token: string) => {
+                       this.csrfToken = token;
+                   },
+                   (err) => console.log(err));
+    }
 
     getCustomers() : Observable<ICustomer[]> {
         return this.http.get(this.baseUrl)
@@ -47,24 +60,32 @@ export class DataService {
     }
 
     insertCustomer(customer: ICustomer) : Observable<ICustomer> {
-        return this.http.post(this.baseUrl, customer)
+        return this.http.post(this.baseUrl, customer, this.getRequestOptions())
                    .map((res: Response) => {
                        return res.json();
                    })
                    .catch(this.handleError);
     }
 
     updateCustomer(customer: ICustomer) : Observable<boolean> {
-        return this.http.put(this.baseUrl + '/' + customer._id, customer)
+        return this.http.put(this.baseUrl + '/' + customer._id, customer, this.getRequestOptions())
                    .map((res: Response) => res.json())
                    .catch(this.handleError);
     }
 
     deleteCustomer(id: string) : Observable<boolean> {
-        return this.http.delete(this.baseUrl + '/' + id)
+
+        return this.http.delete(`${this.baseUrl}/${id}?_csrf=${this.csrfToken}`, this.getRequestOptions())
                    .map((res: Response) => res.json())
                    .catch(this.handleError);
     }
+
+    getRequestOptions() {
+        const options = new RequestOptions({
+            headers: new Headers({ 'csrf-token': this.csrfToken })
+        });
+        return options;
+    }
 
     getStates(): Observable<IState[]> {
         return this.http.get('/api/states')

public/app/customers/customer-edit.component.ts

@@ -39,18 +39,30 @@ export class CustomerEditComponent implements OnInit {
     let id = this.route.snapshot.params['id'];
     if (id !== '0') {
       this.operationText = 'Update';
-      this.dataService.getCustomer(id).subscribe((customer: ICustomer) => {
-        //Quick and dirty clone used in case user cancels out of form
-        const cust = JSON.stringify(customer);
-        this.customer = JSON.parse(cust);
-      });
+      this.getCustomer(id);
     }
 
+    this.getStates();
+  }
+
+  getCustomer(id: string) {
+      this.dataService.getCustomer(id)
+        .subscribe((customer: ICustomer) => {
+          //Quick and dirty clone used in case user cancels out of form
+          const cust = JSON.stringify(customer);
+          this.customer = JSON.parse(cust);
+        },
+        (err) => console.log(err));
+  }
+
+  getStates() {
     this.dataService.getStates().subscribe((states: IState[]) => this.states = states);
   }
 
   submit() {
+
       if (this.customer._id) {
+
         this.dataService.updateCustomer(this.customer)
           .subscribe((status: boolean) => {
             if (status) {
@@ -59,8 +71,11 @@ export class CustomerEditComponent implements OnInit {
             else {
               this.errorMessage = 'Unable to save customer';
             }
-        });
+          },
+          (err) => console.log(err));
+
       } else {
+
         this.dataService.insertCustomer(this.customer)
           .subscribe((customer: ICustomer) => {
             if (customer) {
@@ -69,7 +84,9 @@ export class CustomerEditComponent implements OnInit {
             else {
               this.errorMessage = 'Unable to add customer';
             }
-        });
+          },
+          (err) => console.log(err));
+          
       }
   }
 
@@ -88,7 +105,8 @@ export class CustomerEditComponent implements OnInit {
           else {
             this.errorMessage = 'Unable to delete customer';
           }
-        });
+        },
+        (err) => console.log(err));
   }
 
 }

public/app/customers/customers.component.ts

@@ -26,12 +26,6 @@ export class CustomersComponent implements OnInit {
   ngOnInit() {
     this.title = 'Customers';
     this.getCustomersPage(1);
-
-    // this.dataService.getCustomers()
-    //     .subscribe((customers: ICustomer[]) => {
-    //       this.customers = this.filteredCustomers = customers;
-    //     });
-
   }
 
   filterChanged(filterText: string) {
@@ -53,7 +47,9 @@ export class CustomersComponent implements OnInit {
         .subscribe((response: IPagedResults<ICustomer[]>) => {
           this.customers = this.filteredCustomers = response.results;
           this.totalRecords = response.totalRecords;
-        });
+        },
+        (err: any) => console.log(err),
+        () => console.log('getCustomersPage() retrieved customers'));
   }
 
 }

server.js

@@ -41,23 +41,22 @@ class Server {
     }
 
     initExpressMiddleWare() {
-        // app.use(session({ 
-        //     secret: 'customermanagerdemo', 
-        //     saveUninitialized: true,
-        //     resave: true }));
         app.use(cookieParser());
         app.use(bodyParser.urlencoded({ extended: true }));
         app.use(bodyParser.json());
+        app.use(session({ 
+            secret: 'customermanagerdemo', 
+            saveUninitialized: true,
+            resave: true })
+        );
         app.use(express.static(__dirname + '/public'));
         app.use(errorhandler());
-        // app.use(csrf());
+        app.use(csrf());
 
-        // app.use(function (req, res, next) {
-        //     var csrf = req.csrfToken();
-        //     res.cookie('XSRF-TOKEN', csrf);
-        //     res.locals._csrf = csrf;
-        //     next();
-        // });
+        app.use(function (req, res, next) {
+            res.locals._csrf = req.csrfToken();
+            next();
+        });
 
         process.on('uncaughtException', function (err) {
             if (err) console.log(err, err.stack);
@@ -86,8 +85,9 @@ class Server {
             //Set NODE_ENV to 'development' and uncomment the following if to only run
             //the seeder when in dev mode
             //if (process.env.NODE_ENV === 'development') {
-                seeder.init();
+            //  seeder.init();
             //} 
+            seeder.init();
         });
     }