Allow the ActiveCall to manage the XSRF token for the current request

This permits reusing this logic in other contexts, like outside of
the JsonServlet call processing, but in an application that still
relies heavily upon it.

Signed-off-by: Shawn O. Pearce <sop@google.com>

2 files changed, 38 insertions, 15 deletions

diff --git a/src/main/java/com/google/gwtjsonrpc/server/ActiveCall.java b/src/main/java/com/google/gwtjsonrpc/server/ActiveCall.java
index 1461a80..d2f9a48 100644
--- a/src/main/java/com/google/gwtjsonrpc/server/ActiveCall.java
+++ b/src/main/java/com/google/gwtjsonrpc/server/ActiveCall.java
@@ -30,6 +30,7 @@ public class ActiveCall implements AsyncCallback<Object> {
   protected final HttpServletRequest httpRequest;
   protected final HttpServletResponse httpResponse;
   JsonElement id;
+  SignedToken xsrf;
   String xsrfKeyIn;
   String xsrfKeyOut;
   boolean xsrfValid;
@@ -178,6 +179,10 @@ public class ActiveCall implements AsyncCallback<Object> {
     return params;
   }
 
+  public void setXsrfSignedToken(final SignedToken t) {
+    xsrf = t;
+  }
+
   public final String getXsrfKeyIn() {
     return xsrfKeyIn;
   }
@@ -186,6 +191,10 @@ public class ActiveCall implements AsyncCallback<Object> {
     xsrfKeyOut = out;
   }
 
+  public final String getXsrfKeyOut() {
+    return xsrfKeyOut;
+  }
+
   public final boolean isXsrfValid() {
     return xsrfValid;
   }
@@ -200,6 +209,33 @@ public class ActiveCall implements AsyncCallback<Object> {
   }
 
   /**
+   * Verify the XSRF token submitted is valid.
+   * <p>
+   * By default this method validates the token, and refreshes it with a new
+   * token for the currently authenticated user.
+   *
+   * @return true if the token was supplied and is valid; false otherwise.
+   * @throws XsrfException the token could not be validated due to an error that
+   *         the client cannot recover from.
+   */
+  public boolean xsrfValidate() throws XsrfException {
+    final String username = getUser();
+    final StringBuilder b = new StringBuilder();
+    if (username != null) {
+      b.append("user/");
+      b.append(username);
+    } else {
+      b.append("anonymous");
+    }
+    final String userpath = b.toString();
+    final ValidToken t = xsrf.checkToken(getXsrfKeyIn(), userpath);
+    if (t == null || t.needsRefresh()) {
+      setXsrfKeyOut(xsrf.newToken(userpath));
+    }
+    return t != null;
+  }
+
+  /**
    * @return true if this call has something to send to the client; false if the
    *         call still needs to be computed further in order to come up with a
    *         success return value or a failure
diff --git a/src/main/java/com/google/gwtjsonrpc/server/JsonServlet.java b/src/main/java/com/google/gwtjsonrpc/server/JsonServlet.java
index 711fcbe..a0ea667 100644
--- a/src/main/java/com/google/gwtjsonrpc/server/JsonServlet.java
+++ b/src/main/java/com/google/gwtjsonrpc/server/JsonServlet.java
@@ -183,21 +183,7 @@ public abstract class JsonServlet<CallType extends ActiveCall> extends
    *         the client cannot recover from.
    */
   protected boolean xsrfValidate(final CallType call) throws XsrfException {
-    final HttpServletRequest req = call.httpRequest;
-    final String username = call.getUser();
-    final StringBuilder b = new StringBuilder();
-    if (username != null) {
-      b.append("user/");
-      b.append(username);
-    } else {
-      b.append("anonymous");
-    }
-    final String userpath = b.toString();
-    final ValidToken t = xsrf.checkToken(call.getXsrfKeyIn(), userpath);
-    if (t == null || t.needsRefresh()) {
-      call.setXsrfKeyOut(xsrf.newToken(userpath));
-    }
-    return t != null;
+    return call.xsrfValidate();
   }
 
   /**
@@ -264,6 +250,7 @@ public abstract class JsonServlet<CallType extends ActiveCall> extends
       final HttpServletResponse resp) throws IOException {
     try {
       final CallType call = createActiveCall(req, resp);
+      call.xsrf = xsrf;
 
       call.noCache();
       if (!acceptJSON(call)) {