core-api
diff --git a/‎lib/client.js
Lines changed: 2 additions & 2 deletions b/‎lib/client.js
Lines changed: 2 additions & 2 deletions
diff --git a/‎lib/errors.js
Lines changed: 11 additions & 1 deletion b/‎lib/errors.js
Lines changed: 11 additions & 1 deletion
diff --git a/‎lib/transports/http.js
Lines changed: 20 additions & 7 deletions b/‎lib/transports/http.js
Lines changed: 20 additions & 7 deletions
diff --git a/‎lib/utils.js
Lines changed: 7 additions & 1 deletion b/‎lib/utils.js
Lines changed: 7 additions & 1 deletion
diff --git a/‎package.json
Lines changed: 1 addition & 1 deletion b/‎package.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/__helpers__/utils.js
Lines changed: 3 additions & 2 deletions b/‎tests/__helpers__/utils.js
Lines changed: 3 additions & 2 deletions
diff --git a/‎tests/client.js
Lines changed: 4 additions & 4 deletions b/‎tests/client.js
Lines changed: 4 additions & 4 deletions
diff --git a/‎tests/transports/http.js
Lines changed: 53 additions & 22 deletions b/‎tests/transports/http.js
Lines changed: 53 additions & 22 deletions
@@ -22,9 +22,9 @@ function lookupLink (node, keys) {
 }
 
 class Client {
-  constructor (decoders = null, transports = null) {
+  constructor (decoders = null, transports = null, csrf = null) {
     this.decoders = decoders || [new codecs.CoreJSONCodec(), new codecs.JSONCodec(), new codecs.TextCodec()]
-    this.transports = transports || [new transportsModule.HTTPTransport()]
+    this.transports = transports || [new transportsModule.HTTPTransport(csrf)]
   }
 
   action (document, keys, params = {}) {
 
@@ -14,7 +14,17 @@ class LinkLookupError extends Error {
   }
 }
 
+class ErrorMessage extends Error {
+  constructor (message, content) {
+    super(message)
+    this.message = message
+    this.content = content
+    this.name = 'ErrorMessage'
+  }
+}
+
 module.exports = {
   ParameterError: ParameterError,
-  LinkLookupError: LinkLookupError
+  LinkLookupError: LinkLookupError,
+  ErrorMessage: ErrorMessage
 }
@@ -14,13 +14,15 @@ const parseResponse = (response, decoders) => {
 }
 
 class HTTPTransport {
-  constructor (_fetch) {
+  constructor (csrf, _fetch) {
     this.schemes = ['http', 'https']
+    this.csrf = csrf
     this.fetch = _fetch || fetch
   }
 
   action (link, decoders, params = {}) {
     const fields = link.fields
+    const method = link.method.toUpperCase()
     let queryParams = {}
     let pathParams = {}
     let formParams = {}
@@ -60,7 +62,7 @@ class HTTPTransport {
       }
     }
 
-    let options = {method: link.method}
+    let options = {method: method, headers: {}}
 
     if (hasBody) {
       if (link.encoding === 'application/json') {
@@ -86,6 +88,13 @@ class HTTPTransport {
       }
     }
 
+    if (this.csrf) {
+      options.credentials = 'same-origin'
+      if (!utils.csrfSafeMethod(method)) {
+        Object.assign(options.headers, this.csrf)
+      }
+    }
+
     let parsedUrl = urlTemplate.parse(link.url)
     parsedUrl = parsedUrl.expand(pathParams)
     parsedUrl = new URL(parsedUrl)
@@ -94,11 +103,15 @@ class HTTPTransport {
 
     return this.fetch(finalUrl, options)
       .then(function (response) {
-        if (response.ok) {
-          return parseResponse(response, decoders)
-        } else {
-          throw Error('Network response was not ok.')
-        }
+        return parseResponse(response, decoders).then(function (data) {
+          if (response.ok) {
+            return data
+          } else {
+            const title = response.status + ' ' + response.statusText
+            const error = new errors.ErrorMessage(title, data)
+            return Promise.reject(error)
+          }
+        })
       })
   }
 }
 
@@ -32,7 +32,13 @@ const negotiateDecoder = function (decoders, contentType) {
   throw Error(`Unsupported media in Content-Type header: ${contentType}`)
 }
 
+const csrfSafeMethod = function (method) {
+  // these HTTP methods do not require CSRF protection
+  return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method))
+}
+
 module.exports = {
   determineTransport: determineTransport,
-  negotiateDecoder: negotiateDecoder
+  negotiateDecoder: negotiateDecoder,
+  csrfSafeMethod: csrfSafeMethod
 }
@@ -1,6 +1,6 @@
 {
   "name": "coreapi",
-  "version": "0.0.12",
+  "version": "0.0.17",
   "description": "Javascript client library for Core API",
   "main": "lib/index.js",
   "scripts": {
 
@@ -29,16 +29,17 @@ const mockedFetch = function (responseBody, contentType, statusCode = 200) {
 
 const echo = function (url, options = {}) {
   const method = options.method
+  const headers = options.headers
   const body = options.body
 
   return new Promise((resolve, reject) => {
     const textPromise = () => {
       return new Promise((resolve, reject) => {
         let result
         if (body) {
-          result = JSON.stringify({url: url, method: method, body: body})
+          result = JSON.stringify({url: url, method: method, headers: headers, body: body})
         } else {
-          result = JSON.stringify({url: url, method: method})
         }
         process.nextTick(
           resolve(result)
 
@@ -6,7 +6,7 @@ const testUtils = require('./__helpers__/utils')
 describe('Test the Client', function () {
   it('should get the content of page (text/html)', function () {
     const fetch = testUtils.mockedFetch('Hello, world', 'text/html')
-    const transport = new transportsModule.HTTPTransport(fetch)
+    const transport = new transportsModule.HTTPTransport(null, fetch)
     const client = new coreapi.Client(null, [transport])
     const url = 'http://example.com'
 
@@ -22,7 +22,7 @@ describe('Test the Client', function () {
 
   it('should get the content of page (application/json)', function () {
     const fetch = testUtils.mockedFetch('{"text": "hello"}', 'application/json')
-    const transport = new transportsModule.HTTPTransport(fetch)
+    const transport = new transportsModule.HTTPTransport(null, fetch)
     const client = new coreapi.Client(null, [transport])
     const url = 'http://example.com'
 
@@ -38,7 +38,7 @@ describe('Test the Client', function () {
 
   it('action should get the content of page (application/json)', function () {
     const fetch = testUtils.mockedFetch('{"text": "hello"}', 'application/json')
-    const transport = new transportsModule.HTTPTransport(fetch)
+    const transport = new transportsModule.HTTPTransport(null, fetch)
     const client = new coreapi.Client(null, [transport])
     const document = new coreapi.Document('', '', '', {nested: {link: new coreapi.Link('http://example.com', 'get')}})
 
@@ -54,7 +54,7 @@ describe('Test the Client', function () {
 
   it('action should raise an error for invalid link keys', function () {
     const fetch = testUtils.mockedFetch('{"text": "hello"}', 'application/json')
-    const transport = new transportsModule.HTTPTransport(fetch)
+    const transport = new transportsModule.HTTPTransport(null, fetch)
     const client = new coreapi.Client(null, [transport])
     const document = new coreapi.Document('', '', '', {nested: {link: new coreapi.Link('http://example.com', 'get')}})
 
 
@@ -10,7 +10,7 @@ describe('Test the HTTPTransport', function () {
   it('should check the action function of an HTTP transport (text/html)', function () {
     const url = 'http://www.example.com/'
     const link = new document.Link(url, 'get')
-    const transport = new transports.HTTPTransport(testUtils.mockedFetch('Hello, world', 'text/html'))
+    const transport = new transports.HTTPTransport(null, testUtils.mockedFetch('Hello, world', 'text/html'))
 
     return transport.action(link, decoders)
       .then((res) => {
@@ -21,7 +21,7 @@ describe('Test the HTTPTransport', function () {
   it('should check the action function of an HTTP transport (json)', function () {
     const url = 'http://www.example.com/'
     const link = new document.Link(url, 'get')
-    const transport = new transports.HTTPTransport(testUtils.mockedFetch('{"text": "Hello, world"}', 'application/json'))
+    const transport = new transports.HTTPTransport(null, testUtils.mockedFetch('{"text": "Hello, world"}', 'application/json'))
 
     return transport.action(link, decoders)
       .then(res => expect(res).toEqual({text: 'Hello, world'}))
@@ -40,117 +40,148 @@ describe('Test the HTTPTransport', function () {
     const url = 'http://www.example.com/'
     const fields = [new document.Field('firstField', true, 'form'), new document.Field('secondField', true, 'form')]
     const link = new document.Link(url, 'post', 'application/x-www-form-urlencoded', fields)
-    const transport = new transports.HTTPTransport(testUtils.echo)
+    const transport = new transports.HTTPTransport(null, testUtils.echo)
     const params = {
       firstField: 'hello',
       secondField: 'world'
     }
 
     return transport.action(link, decoders, params)
       .then(res => expect(res).toEqual({
-        body: 'firstField=hello&secondField=world',
-        method: 'post',
-        url: 'http://www.example.com/'
+        url: 'http://www.example.com/',
+    
10000
    method: 'POST',
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded'
+        },
+        body: 'firstField=hello&secondField=world'
       }))
   })
 
   it('should check the action function of an HTTP transport (network fail)', function () {
     const url = 'http://www.example.com/'
     const link = new document.Link(url, 'get')
-    const transport = new transports.HTTPTransport(testUtils.mockedFetch('ERROR', 'text/html', 500))
+    const transport = new transports.HTTPTransport(null, testUtils.mockedFetch('ERROR', 'text/html', 500))
 
-    expect(transport.action(link, decoders).then(() => {}).catch(() => {})).toThrow()
+    return transport.action(link, decoders)
+      .catch(function (result) {
+        expect(result.message).toEqual('500 BAD REQUEST')
+        expect(result.content).toEqual('ERROR')
+      })
   })
 
   it('should check the action function of an HTTP transport (json) with query params', function () {
     const url = 'http://www.example.com/'
     const fields = [new document.Field('page', false, 'query')]
     const link = new document.Link(url, 'get', 'application/json', fields)
-    const transport = new transports.HTTPTransport(testUtils.echo)
+    const transport = new transports.HTTPTransport(null, testUtils.echo)
     const params = {
       page: 23
     }
 
     return transport.action(link, decoders, params)
       .then((res) => {
-        expect(res).toEqual({url: 'http://www.example.com/?page=23', method: 'get'})
+        expect(res).toEqual({url: 'http://www.example.com/?page=23', headers: {}, method: 'GET'})
       })
   })
 
   it('should check the action function of an HTTP transport (json) with path params', function () {
     const url = 'http://www.example.com/{user}/'
     const fields = [new document.Field('user', true, 'path')]
     const link = new document.Link(url, 'get', 'application/json', fields)
-    const transport = new transports.HTTPTransport(testUtils.echo)
+    const transport = new transports.HTTPTransport(null, testUtils.echo)
     const params = {
       user: 23
     }
 
     return transport.action(link, decoders, params)
       .then((res) => {
-        expect(res).toEqual({url: 'http://www.example.com/23/', method: 'get'})
+        expect(res).toEqual({url: 'http://www.example.com/23/', headers: {}, method: 'GET'})
       })
   })
 
   it('should check the action function of an HTTP transport (json) with post request', function () {
     const url = 'http://www.example.com/'
     const link = new document.Link(url, 'post')
-    const transport = new transports.HTTPTransport(testUtils.echo)
+    const transport = new transports.HTTPTransport(null, testUtils.echo)
+
+    return transport.action(link, decoders)
+      .then((res) => {
+        expect(res).toEqual({url: 'http://www.example.com/', headers: {}, method: 'POST'})
+      })
+  })
+
+  it('CSRF should be included with POST requests.', function () {
+    const url = 'http://www.example.com/'
+    const link = new document.Link(url, 'post')
+    const csrf = {'X-CSRFToken': 'abc'}
+    const transport = new transports.HTTPTransport(csrf, testUtils.echo)
+
+    return transport.action(link, decoders)
+      .then((res) => {
+        expect(res).toEqual({url: 'http://www.example.com/', headers: {'X-CSRFToken': 'abc'}, method: 'POST'})
+      })
+  })
+
+  it('CSRF should not be included with GET requests.', function () {
+    const url = 'http://www.example.com/'
+    const link = new document.Link(url, 'get')
+    const csrf = {'X-CSRFToken': 'abc'}
+    const transport = new transports.HTTPTransport(csrf, testUtils.echo)
 
     return transport.action(link, decoders)
       .then((res) => {
-        expect(res).toEqual({url: 'http://www.example.com/', method: 'post'})
+        expect(res).toEqual({url: 'http://www.example.com/', headers: {}, method: 'GET'})
       })
   })
 
   it('should check the action function of an HTTP transport (json) with post request and form parameters', function () {
     const url = 'http://www.example.com/'
     const fields = [new document.Field('hello', true, 'form')]
     const link = new document.Link(url, 'post', 'application/json', fields)
-    const transport = new transports.HTTPTransport(testUtils.echo)
+    const transport = new transports.HTTPTransport(null, testUtils.echo)
     const params = {
       hello: 'world'
     }
 
     return transport.action(link, decoders, params)
       .then((res) => {
-        expect(res).toEqual({url: 'http://www.example.com/', method: 'post', body: JSON.stringify({hello: 'world'})})
+        expect(res).toEqual({url: 'http://www.example.com/', method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify({hello: 'world'})})
       })
   })
 
   it('should check the action function of an HTTP transport (json) with post request and a body parameter', function () {
     const url = 'http://www.example.com/'
     const fields = [new document.Field('hello', true, 'body')]
     const link = new document.Link(url, 'post', 'application/json', fields)
-    const transport = new transports.HTTPTransport(testUtils.echo)
+    const transport = new transports.HTTPTransport(null, testUtils.echo)
     const params = {
       hello: 'world'
     }
 
     return transport.action(link, decoders, params)
       .then((res) => {
-        expect(res).toEqual({url: 'http://www.example.com/', method: 'post', body: JSON.stringify('world')})
+        expect(res).toEqual({url: 'http://www.example.com/', method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify('world')})
       })
   })
 
   it('should check the action function of an HTTP transport (json) with missing optional query params', function () {
     const url = 'http://www.example.com/'
     const fields = [new document.Field('page', false, 'query')]
     const link = new document.Link(url, 'get', 'application/json', fields)
-    const transport = new transports.HTTPTransport(testUtils.echo)
+    const transport = new transports.HTTPTransport(null, testUtils.echo)
     const params = {}
 
     return transport.action(link, decoders, params)
       .then((res) => {
-        expect(res).toEqual({url: 'http://www.example.com/', method: 'get'})
+        expect(res).toEqual({url: 'http://www.example.com/', headers: {}, method: 'GET'})
       })
   })
 
   it('should check the action function of an HTTP transport (json) with missing required parameter', function () {
     const url = 'http://www.example.com/{user}/'
     const fields = [new document.Field('user', true, 'path')]
     const link = new document.Link(url, 'get', 'application/json', fields)
-    const transport = new transports.HTTPTransport(testUtils.echo)
+    const transport = new transports.HTTPTransport(null, testUtils.echo)
     const params = {}
 
     const callTransport = () => transport.action(link, decoders, params)
@@ -160,7 +191,7 @@ describe('Test the HTTPTransport', function () {
   it('should check the action function of an HTTP transport (json) with unknown paramater', function () {
     const url = 'http://www.example.com/'
     const link = new document.Link(url, 'get')
-    const transport = new transports.HTTPTransport(testUtils.echo)
+    const transport = new transports.HTTPTransport(null, testUtils.echo)
     const params = {
       hello: 'world'
     }
Original file line number	Diff line number	Diff line change
`@@ -22,9 +22,9 @@ function lookupLink (node, keys) {`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`class Client {`
`25`		`- constructor (decoders = null, transports = null) {`
	`25`	`+ constructor (decoders = null, transports = null, csrf = null) {`
`26`	`26`	`this.decoders = decoders \|\| [new codecs.CoreJSONCodec(), new codecs.JSONCodec(), new codecs.TextCodec()]`
`27`		`- this.transports = transports \|\| [new transportsModule.HTTPTransport()]`
	`27`	`+ this.transports = transports \|\| [new transportsModule.HTTPTransport(csrf)]`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`action (document, keys, params = {}) {`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,17 @@ class LinkLookupError extends Error {`
`14`	`14`	`}`
`15`	`15`	`}`
`16`	`16`
	`17`	`+class ErrorMessage extends Error {`
	`18`	`+ constructor (message, content) {`
	`19`	`+ super(message)`
	`20`	`+ this.message = message`
	`21`	`+ this.content = content`
	`22`	`+ this.name = 'ErrorMessage'`
	`23`	`+ }`
	`24`	`+}`
	`25`	`+`
`17`	`26`	`module.exports = {`
`18`	`27`	`ParameterError: ParameterError,`
`19`		`- LinkLookupError: LinkLookupError`
	`28`	`+ LinkLookupError: LinkLookupError,`
	`29`	`+ ErrorMessage: ErrorMessage`
`20`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,13 @@ const negotiateDecoder = function (decoders, contentType) {`
`32`	`32`	throw Error(`Unsupported media in Content-Type header: ${contentType}`)
`33`	`33`	`}`
`34`	`34`
	`35`	`+const csrfSafeMethod = function (method) {`
	`36`	`+ // these HTTP methods do not require CSRF protection`
	`37`	`+ return (/^(GET\|HEAD\|OPTIONS\|TRACE)$/.test(method))`
	`38`	`+}`
	`39`	`+`
`35`	`40`	`module.exports = {`
`36`	`41`	`determineTransport: determineTransport,`
`37`		`- negotiateDecoder: negotiateDecoder`
	`42`	`+ negotiateDecoder: negotiateDecoder,`
	`43`	`+ csrfSafeMethod: csrfSafeMethod`
`38`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "coreapi",`
`3`		`- "version": "0.0.12",`
	`3`	`+ "version": "0.0.17",`
`4`	`4`	`"description": "Javascript client library for Core API",`
`5`	`5`	`"main": "lib/index.js",`
`6`	`6`	`"scripts": {`