use X-Requested-With to clearly identify api calls

ea907374 · Romain Loth · 937dff16 · ea907374 · ea907374
Commit ea907374 authored Jan 31, 2017 by Romain Loth
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 4 deletions

main.py services/main.py +5 -4

comex_lib_elts.js static/js/comex_lib_elts.js +1 -0

No files found.
--- a/services/main.py
+++ b/services/main.py
@@ -247,10 +247,9 @@ def login():
    elif request.method == 'POST':
        mlog("DEBUG", "login form received from "+request.path+", with keys:", [k for k in request.values])

-        called_as_api = False
-        if request.path != config['PREFIX'] + config['USR_ROUTE'] + '/login/':
-            # the referer is another page
-            called_as_api = True
+        # we used this custom header to mark ajax calls => called_as_api True
+        x_req_with = request.headers.get('X-Requested-With', type=str)
+        called_as_api = (x_req_with in ['XMLHttpRequest', 'MyFetchRequest'])

        # testing the captcha answer
        captcha_userinput = request.form['my-captcha']
@@ -283,6 +282,8 @@ def login():
                mlog("ERROR", "error in doors_login request")
                raise (err)

+            mlog("DEBUG", "doors_login returned id '%s'" % doors_uid)
+
            luid = doors_uid_to_luid(doors_uid)

            if luid:

--- a/static/js/comex_lib_elts.js
+++ b/static/js/comex_lib_elts.js
@@ -65,6 +65,7 @@ var cmxClt = (function(cC) {
        if (window.fetch) {
            fetch('/services/user/login/', {
                method: 'POST',
+                headers: {'X-Requested-With': 'MyFetchRequest'},
                body: formdat,
                credentials: "same-origin"  // <= this allows response's Set-Cookie
            })