Version 0.4.3 of Braindump, I Need More Functional Tests.

August 30, 2016 | programming | python | projects |

Yesterday, I shipped a new release of braindump. It was awesome. Until I tried to use it this morning and realized that notes were no longer being saved when you edit them. So today I cut a new release that fixes that bug, as well as implementing a new feature where you can see what notes you have shared in the past. This also addresses an issue with sharing notes, so you should be able to send notes via email again. Normally, when a product is being released on a regular cadence it is exciting. In this case, it just means that I really need more functional tests.

Post Mortem of Note Saving Bug

For those who are curious, I will document what happened in the hopes that it does not affect others in the future. Braindump was originally written using WTForms, which has CSRF protection built in so you don't have to think about it. Recently, I have begun transitioning away from WTForms in lieu of regular forms that are submitted via AJAX. The most visible benefit is that you can see and edit all of your notes from the main page, instead of having to click into each note in order to edit it. After switching to AJAX, I quickly realized that I was no longer sending a CSRF token with POST and PUT requests, which is probably a bad thing. I enabled it in the previous release. Even though I got this to work in the login and registration modal (which are true forms), I didn't consider the PUT request when editing a note. This is not a form at all, but a method that fires whenever you stop typing. Naturally, since there was no token and the endpoint was not marked as exempt, the response was a 400 error (missing CSRF token). My solution was to add the token as a meta tag to every page, and then send it along in the request headers of the AJAX call.

Enable CSRF

// app/__init__.py
csrf = CsrfProtect()
def create_app(config_name):
…
csrf.init_app(app)
…
return app

Token in the Header

// app/templates/app/app_base.html
// This works because csrf_token() is in the global scope.
<meta name=“csrf-token” content="  csrf_token() " />

AJAX Method to add the token before sending the PUT request.

// frontend/js/src/braindump.editor.js
saveNote: function(id, content) {
    var csrftoken = $('meta[name=csrf-token]').attr('content')

    $.ajax({
            beforeSend: function(xhr) {
                    xhr.setRequestHeader("X-CSRFToken", csrftoken)
            },
            url: `/edit/<span class="cp">${</span><span class="nb">id</span><span class="cp">}</span>`,
            data: JSON.stringify({
                    'body': content,
            }),
            contentType: 'application/json',
            type: 'PUT',
            success: function (response) {
                    console.log(response);
            },
            error: function (error) {
                    console.error(error);
            }
    });

},

Everything now works fine, and in the future if I need to make more AJAX calls, the token will be available in the meta of each page. This would have been easily caught if I had had even a single functional test. I hope to have something in place over the next few days so that I stop shipping breaking changes. Braindump is still very beta level software. Once we make it past the 1.0 release, I will have close to 100% code coverage, full functional test suite, and develop a steady pace for incremental improvements so that there are no more surprises like this one in the future.

Thank you for reading! Share your thoughts with me on bluesky, mastodon, or via email.

Check out some more stuff to read down below.

Most popular posts this month

Recent Favorite Blog Posts

This is a collection of the last 8 posts that I bookmarked.

Pluralistic: LLMs are slot-machines (16 Aug 2025) from Pluralistic: Daily links from Cory Doctorow
Pluralistic: Bluesky creates the world's weirdest, hardest-to-understand binding arbitration clause (15 Aug 2025) from Pluralistic: Daily links from Cory Doctorow
Just a Little More Context Bro, I Promise, and It’ll Fix Everything from Jim Nielsen’s Blog
The Futzing Fraction from Deciphering Glyph
Sit On Your Ass Web Development from Jim Nielsen’s Blog
c10kday from daniel.haxx.se
Pluralistic: AI's pogo-stick grift (02 Aug 2025) from Pluralistic: Daily links from Cory Doctorow
Why don't smart watches use USB-C to recharge? from Terence Eden’s Blog

Articles from blogs I follow around the net

Pluralistic: Become unoptimizable (20 Aug 2025)

Today's links Become unoptimizable: Twiddle or be twiddled. Hey look at this: Delights to delectate. Object permanence: Penguins v Microsoft in the EU; Chastity belts are a joke; Austerity breeds Nazis, Yale says, "Prepare for death." Upcoming…

via Pluralistic: Daily links from Cory Doctorow August 20, 2025

Theatre Review: Sluts With Consoles ★★★★⯪

Let's see if this post makes it through the spam filters! Sluts With Consoles is a brilliant two-hander. Girly-twirly pick-me Player One and Gothy just-one-of-the-boys Player Two are locked in mortal - and emotional - combat. They represent the duali…

via Terence Eden’s Blog August 20, 2025

Embedding Wren in Hare

I’ve been on the lookout for a scripting language which can be neatly embedded into Hare programs. Perhaps the obvious candidate is Lua – but I’m not particularly enthusiastic about it. When I was evaluating the landscape of tools which are “like Lua, but no…

via Drew DeVault's blog August 20, 2025

Generated by openring